The Washington PostDemocracy Dies in Darkness

AT&T will pay $25 million after call-center workers sold customer data

(Rick Wilking / Reuters)

AT&T has agreed to pay a $25 million fine for multiple data breaches that leaked hundreds of thousands of customer records, including names, phone numbers and some Social Security numbers.

On at least three occasions, outsiders paid AT&T call center employees to provide them with sensitive customer information, according to the Federal Communications Commission, which announced the settlement Wednesday. The breaches occurred in AT&T's foreign call centers in Mexico, Colombia and the Philippines.

As many as 279,000 AT&T customers may have been affected by the unauthorized leaks, regulators said. Those customers will receive free credit monitoring as part of the official settlement. The agreement also requires at AT&T to appoint a privacy official who will review the company's policies and strengthen its security.

The fine marks the FCC's largest data security action ever. In October, the agency fined two telecom companies $10 million for inadvertently releasing customer data.

[With a $10 million fine, the FCC is leaping into data security for the first time]

In a statement Wednesday, FCC Chairman Tom Wheeler said his agency would not "stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.”

The type of information accessed by the thieves is protected by federal regulations. In the wrong hands, the data can be used by thieves to obtain "unlock" codes that enable phones to be used with any wireless carrier. Stolen phones that have been unlocked are more valuable on the black market because they can be sold virtually anywhere.

The FCC said the Mexico breach lasted for more than five months between 2013 and 2014. Three AT&T contractors improperly used 68,000 customer records to request more than 290,000 unlock codes from AT&T.

AT&T conceded in a statement Wednesday that "a few of our vendors" failed to uphold subscribers' confidence.

"Protecting customer privacy is critical to us," the company said. "We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information."