AT&T will pay a $25 million fine for "lax security" at overseas call centers where employees stole personal data for mobile phone traffickers, US regulators said Wednesday.
The Federal Communications Commission announced the settlement in the case which affected some 280,000 AT&T customers.
FCC officials said the lack of security at AT&T call centers in Mexico, Colombia, and the Philippines allowed employees in those locations to steal personal information which could be used to "unlock" stolen phones.
The employees "provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock," an FCC statement said.
The breach allowed those in the scheme to get customer names, full or partial social security numbers and other data that could be used to submit an "unlock" request to the big US telecom carrier, allowing them to resell stolen devices.
The breaches exposed US victims to potential identity theft, according to the FCC, which said the settlement requires AT&T to offer credit monitoring and notifications to affected consumers.
FCC chairman Tom Wheeler said the agency "cannot -- and will not -- stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.”
The FCC began a probe after learning of a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014.
During this period, three call center employees were paid by outside parties to obtain customer information that could then be used to submit online requests for cellular handset unlock codes, the FCC said.
In Mexico, some 68,000 customers had data compromised, according to investigators.
The probe later was extended to call centers in Colombia and the Philippines. In those two countries, 40 employees were able to access the confidential data and sold information on around 211,000 customers, the FCC said.
The FCC said the case represented its "largest privacy and data security enforcement action to date" and also requires AT&T to upgrade its security procedures and appoint a privacy compliance officer.
AT&T said in a statement regarding the case that it sees customer privacy as "critical."
"We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate," the company said
"We've changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information."