By Josh Long

The Federal Communications Commission on Wednesday announced a record $25 million settlement with AT&T Services Inc. to resolve a probe into violations of consumer privacy at call centers in Columbia, Mexico and the Philippines.

The settlement marks the agency’s largest ever privacy and data security enforcement action following the unauthorized disclosure of nearly 280,000 names of U.S. customers, the FCC said. Other private information also was compromised including full or partial Social Security numbers and so-called customer proprietary network information.

The agency’s Enforcement Bureau learned that employees at call centers used by AT&T accessed customer records without authorization and obtained personal information, then shared it with “unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock,” according to an FCC news release.

Under the agreement with the FCC, AT&T will pay a $25 million civil penalty, notify all customers whose accounts were accessed without their authorization, pay for credit monitoring services for consumers affected by the breaches in Colombia and the Philippines, and improve its privacy and data security practices.

“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard,” AT&T said in a statement. “Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”

The data breach at a call center in Mexico endured for 168 days in which third parties paid call-center employees for customer information that could be used to request codes to unlock cellular handsets, the FCC said. The employees accessed more than 68,000 accounts without authorization, and the third parties used the data to make nearly 291,000 requests through an AT&T online portal to unlock handsets, the agency added.

During the course of its investigation, which it launched in May 2014, the Enforcement Bureau discovered additional breaches of data at call centers in Columbia and the Philippines. Roughly 211,000 customer accounts were improperly accessed in the Colombian and Philippine call centers, the FCC said.

The FCC became aware of the breaches last year through a variety of sources, including a report AT&T submitted to the California Attorney General’s Office, an FCC official said Tuesday in a call with reporters. The official said 47 states have data breach laws.

Although the criminals are suspected of trafficking in stolen cell phones, the official said he did not know where such devices were shipped.

The FCC isn’t responsible for criminally prosecuting wrongdoers in such data breach cases. But failure to reasonably protect consumers’ personal information violates federal communications law and therefore falls within FCC’s jurisdiction. Over the last year, the agency has taken enforcement actions valued at more than $50 million to protect consumer privacy and data security, the FCC said.   

“Today’s agreement shows the Commission’s unwavering commitment to protect consumers’ privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches,” said Travis LeBlanc, chief of the Enforcement Bureau, in a statement. “We hope that all companies will look to this agreement as guidance.”