AT&T data breaches exposed about 280,000 U.S. customers' names and full or partial Social Security numbers, the government said.
The company agreed to pay a $25 million civil penalty to settle an Federal Communications Commission investigation into the consumer privacy violations, the agency said Wednesday.
The breaches occurred at call centers used by AT&T in Mexico, Colombia, and the Philippines when employees accessed sensitive customer data without adequate authorization. Those employees took payment from third parties who were apparently interested in customer names and Social Security numbers so they could unlock stolen cell phones for sale on secondary markets, the FCC said.
The investigation found that three call center employees in Mexico accessed more than 68,000 accounts without authorization, so the third parties could submit more than 290,000 unlock requests through an AT&T online portal, the agency said. Over the course of the investigation into that breach, the FCC also discovered that approximately 40 company employees in the Philippines and Colombia had accessed about 211,000 customer accounts for the same illicit purposes.