WASHINGTON — AT&T is paying $25 million in a settlement with federal regulators over data breaches at call centers in Mexico, Colombia and the Philippines that compromised customer data for some 280,000 U.S. customer accounts.
The Federal Communications Commission announced the agreement Wednesday with the second-largest U.S. wireless carrier. It was the agency's largest privacy and data-security enforcement action to date.
The breaches occurred from Nov. 4, 2013 to April 21, 2014 at a call center in Mexico, from Feb. 14 to July 14, 2014 in Colombia and from May 20 to December 2014 in the Philippines, the FCC said. Most customers were Spanish-speaking U.S. residents.
Call center employees were paid by third parties to obtain customer information such as names and full or partial Social Security numbers. The information was used to submit online requests for cellular unlock codes for stolen cellphones, the agency said.
The call centers were operated by contractors of Dallas-based AT&T.
AT&T will notify all customers whose accounts were compromised and pay for credit monitoring services for customers affected by the breaches in Colombia and the Philippines. AT&T previously paid for credit monitoring services for customers affected by the breach in Mexico.
The company also is required under the settlement to improve its privacy and data-security practices by appointing a senior compliance manager and taking other steps.
"Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard," AT&T said in a statement. "Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We've changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information."
The third parties who obtained the customers' personal data appear to have trafficked in stolen cellphones or secondary-market phones they wanted to unlock, according to the FCC.