AT&T data breaches exposed about 280,000 U.S. customers' names and full or partial Social Security numbers, the government said.
The company agreed to pay a $25 million civil penalty to settle an Federal Communications Commission investigation into the consumer privacy violations, the agency said Wednesday.
The breaches occurred at call centers used by AT&T in Mexico, Colombia, and the Philippines when employees accessed sensitive customer data without adequate authorization. Those employees took payment from third parties who were apparently interested in customer names and Social Security numbers so they could unlock stolen cell phones for sale on secondary markets, the FCC said.
The investigation found that three call center employees in Mexico accessed more than 68,000 accounts without authorization, so the third parties could submit more than 290,000 unlock requests through an AT&T online portal, the agency said. Over the course of the investigation into that breach, the FCC also discovered that approximately 40 company employees in the Philippines and Colombia had accessed about 211,000 customer accounts for the same illicit purposes.
"As the nation's expert agency on communications networks, the Commission cannot—and will not—stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," FCC Chairman Tom Wheeler said in a press release.
As part of its settlement with the FCC, AT&T agreed to notify all customers whose accounts were improperly accessed, and to pay for credit monitoring services for those customers affected by the breaches in Colombia and the Philippines, the agency said.
The telecom also assented to improving its security practices and regularly filing compliance reports to the FCC, according to the release.
"Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard," an AT&T spokesman told CNBC.
He added that the company is terminating some of its vendor sites "as appropriate." AT&T has changed some security policies and is reaching out to affected customers to provide additional information, he confirmed.
—CNBC's Ryan Ruggiero contributed to this report.