The Federal Communications Commission is handing AT&T a $25 million fine, the largest-ever amount for a privacy-related issue, for a series of data breaches that gave out personal information for nearly 280,000 customers and contributed to international trafficking of stolen mobile phones. The breaches occurred during 2013 and 2014 at AT&T call centers in Mexico, Colombia, and the Philippines, all serving customers in the US. AT&T has agreed to a settlement and to making several changes to its security practices.

The stolen data was used to unlock and likely resell cellphones

The commission found that a number of employees at each of the three AT&T data centers had improperly accessed customer information and then sold that information to third parties. The story sounds like a cellphone heist: in Mexico, an entity known as El Pelon provided call center workers with a list of phone numbers that it wanted them to look up. Workers would then grab information associated with the account — including customer name and the last four digits of the owner's social security number — and sell it back to El Pelon.

In all locations, the stolen information was used to make unlock requests for the associated phones through AT&T's website, potentially allowing the phones to be resold. The commission believes that El Pelon is an alias, and it is not aware of the third parties involved at the other two call centers. Additional data was exposed to call center employees during the breach, including call metadata such as who a person called and for how long, but it does not appear that this information was forwarded to the third parties. AT&T says that it is "terminating vendor sites as appropriate."

"The commission cannot — and will not —stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," FCC chairman Tom Wheeler says in a statement. "As today’s action demonstrates, the commission will exercise its full authority against companies that fail to safeguard the personal information of their customers."

AT&T will have to pay the $25 million fine within 30 days. It will have to notify all customers whose accounts were accessed and provide them with credit monitoring services. AT&T has also agreed to improve its data security practices, appoint a compliance manager with an expertise in privacy, and regularly submit compliance reports to the FCC. "We’ve changed our policies and strengthened our operations," AT&T says in a statement. "And we have, or are, reaching out to affected customers to provide additional information." The commission notes that its investigation into the breaches is ongoing, and it's possible that more AT&T customers than it currently knows of have been affected.