AT&T has agreed to pay a fine of $25 million after investigation by the Federal Communications Commission (FCC) discovered that foreign call centers contracted by AT&T sold customer data to a mobile phone theft operation.

The FCC announced in a news release that, aside from the fine, AT&T has agreed to pay for credit monitoring services and notify the nearly 280,000 AT&T subscribers whose names, phone numbers, and partial social security numbers were accessed by call center employees in Mexico, Colombia, and the Philippines, and given to a third party for a price.

A May 2014 investigation by the FCC's Enforcement Bureau found that three employees in a Mexico call center contracted by AT&T to provide Spanish-language support to American customers were giving away more than 68,000 customers' information to a man called El Pelon, which means bald man, from November 2013 to April 2014. The data also included each subscriber's customer proprietary network information (CPNI), which contains call data such as the time, data, duration, and destination of calls.

The FCC is also looking into whether AT&T properly notified authorities when it found out about the breach. The commission says AT&T did not immediately inform the FCC, which found out through the Office of the Attorney-General in California, where AT&T first reported the breach.

"We have taken steps to help prevent this from happening again, notified affected customers, and reported the matter to law enforcement," Mark Sigel, executive director for media relations at AT&T, said at the time.

Last month, however, the FCC conducted another investigation into three other AT&T call centers located in Bogota, Colombia, and the Philippines for similar data theft suspicions. The FCC found that 40 employees from the Colombian and Philippine call centers also gained unauthorized access to some 211,000 customer information, which were also sold off to third parties.

The FCC believes these third parties buying private customer information belong to phone theft rings requiring customers' social security numbers to receive unlock codes for stolen AT&T phones. AT&T requires both a customer's name and social security information to provide an unlock code, and a single code can be used to unlock up to five similar phones, even if they do not belong to the same account.

"The Commission cannot - and will not - stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," says FCC Chairman Tom Wheeler. "As today's action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers."

AT&T has released its own statement saying it has changed its policies on data security, although it declined to provide more details into what changes it has put in place. The wireless carrier says it is also contacting affected customers.

"Protecting customer privacy is critical to us. We hold ourselves and our vendors accountable to a high standard," says an AT&T spokesperson. "Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate."

Photo: Mike Mozart | Flickr