AT&T agreed to pay a $25 million fine on Wednesday to settle federal charges that it failed to protect its customers' sensitive personal information, including Social Security numbers.
Thieves were able to steal information on nearly 280,000 U.S. customers, the Federal Communications Commission said. The penalty is the largest the FCC has ever imposed in a privacy or data-breach case.
According to the FCC, employees in call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer account information without permission, and then gave that information to other groups looking to activate batches of stolen phones. The information included names, phone numbers, and full or partial Social Security numbers.
"The Commission cannot—and will not—stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," FCC Chairman Tom Wheeler said in a statement.
AT&T said the call centers were third-party vendors not under the company's direct control and that there was no evidence that the information had been used for identity theft or financial fraud.
"Protecting customer privacy is critical to us," AT&T said in a statement. "We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We've changed our policies and strengthened our operations. And we have, or are reaching out to affected customers to provide additional information."
In addition to the $25 million penalty, AT&T agreed to notify customers whose information was accessed and to pay for credit-monitoring services for customers affected by the breaches in Colombia and the Philippines. The company had previously acknowledged the theft of information from the call center in Mexico.
In the wake of the massive breaches at Target and Home Depot, President Obama called on Congress earlier this year to pass legislation imposing data security requirements on companies and setting a national standard for breach notification to customers. The FCC's case against AT&T is a reminder that not all breaches involve high-tech hacking—sometimes, insiders are able to just take the information themselves.