Photo

The Federal Communications Commission fined AT&T $25 million for failing to protect the personal information, including Social Security numbers, of its customers, the agency said on Wednesday. The penalty is the largest the F.C.C. has ever issued for data security and privacy violations.

Employees at AT&T call centers in Mexico, Colombia and the Philippines were found to have stolen the names and full or partial Social Security numbers of about 280,000 of the wireless carrier’s customers in the United States. The workers sold that information to third parties.

In Mexico, the employees were provided specific phone numbers by a third party who went by the alias El Pelón, referring to a bald man in Spanish. From November 2013 to April 2014, the F.C.C. said, the employees sold El Pelón the names and other information tied to those phone numbers. AT&T said it terminated its contract with the Mexican call center in September.

Photo

F.C.C. officials said the parties who bought the data appeared to have been trafficking stolen cellphones they sought to activate. They added that the personal information that employees had taken without authorization was used to submit 290,803 handset unlock requests for mobile phones through AT&T’s website. Agency officials speculated that the third parties could have been seeking to resell those phones in the United States or abroad.

“We’ve changed our policies and strengthened our operations,” AT&T said in a statement. “While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers.”

The F.C.C. said it learned of the privacy violations after AT&T reported the activity in Mexico to the California attorney general last year; the agency began investigating the breach in May.

The additional breaches in Colombia and the Philippines were not uncovered until this year, when AT&T reported them to the F.C.C. Those investigations continue, the agency said. It declined to say whether other wireless carriers had relationships with the call centers in question.

“The commission cannot — and will not — stand idly by when a carrier’s lax data-security practices expose the personal information of hundreds of thousands,” Tom Wheeler, chairman of the F.C.C., said in a statement Wednesday.

In addition to the fine, the settlement requires AT&T to notify all affected customers and provide credit-monitoring services. While AT&T still has a relationship with the call centers in Colombia and the Philippines, all the implicated employees have been dismissed, the company and the F.C.C. said, and new measures have been enacted at those call centers to mask private data like Social Security numbers.

“Customers trust that their phone company will zealously guard access to sensitive personal information in customer records,” said Travis LeBlanc, chief of the agency’s enforcement bureau. “We hope that all companies will look to this agreement as guidance.”