AT&T agreed to pay $25 million to U.S. regulators after an investigation found call center workers in Mexico, Colombia and the Philippines improperly disclosed personal data on almost 280,000 customers.
The workers passed U.S. customer names and full or partial Social Security numbers to third parties who used the information to request that mobile phones be unlocked so the devices would work on networks other than AT&T’s, the Federal Communications Commission said Wednesday.
The customer information was given to people who appear to have been trafficking in stolen or secondary market phones they wanted to unlock, the agency said.
“The commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC chairman Tom Wheeler said in a statement.
The penalty was the largest for privacy violations to be levied by the FCC, Travis LeBlanc, chief of the agency’s enforcement bureau, said in a news conference call.
AT&T is “terminating vendor sites as appropriate,” Michael Balmoris, an AT&T spokesman, said in a statement. “We have no reason to believe that the information was used for identity theft or financial fraud.”
AT&T agreed to improve its privacy and security practices, the FCC said.