AT&T has agreed to pay a $25 million penalty in a settlement with federal regulators after data breaches in several Latin American call centers exposed the personal information of nearly 280,000 U.S. customers. In a complaint released Wednesday, Federal Communications Commission (FCC) officials stated call center contractors in Mexico, Colombia and the Philippines collected sensitive account information from subscribers, including Social Security numbers, between November 2013 to April 2014. According to the FCC, most customers affected were Spanish-speaking U.S. residents. The FCC's investigation revealed that three call center employees in Mexico accessed more than 68,000 accounts without proper authorization in order for the third-parties to submit hundreds of thousands of unlock requests through AT&T’s online portal. Furthermore, the agency discovered that approximately 40 company employees based in Colombia and the Philippines also accessed over 211,000 customer accounts with the same malicious intentions. "As the nation's expert agency on communications networks, the Commission cannot—and will not—stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," said FCC Chairman Tom Wheeler in a press release. Meanwhile, AT&T said in a statement:
“While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers.”
The telecom giant agreed to notify all impacted customers and offer free credit monitoring services for one year. In addition, the company plans to bolster its security practices and consented to filing regular compliance reports to the FCC. The $25 million settlement comes as the agency’s largest privacy and data-security enforcement action to date.