The Federal Communications Commission has entered a $25 million settlement with AT&T Services to resolve an investigation into consumer privacy violations at AT&T’s call centers in Mexico, Colombia, and the Philippines. The data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI).

This is the FCC’s largest privacy and data security enforcement action to date.

According to an investigation by the FCC’s Enforcement Bureau, these data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization. These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.

AT&T will pay a $25 million civil penalty. The company will also notify all customers whose accounts were improperly accessed. AT&T will pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines. Additionally, AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities.