AT&T will pay $25 million to settle accusations that employees at call centers in the Philippines, Mexico and Colombia allegedly stole the financial information of U.S. customers to break into stolen phones that were protected by personal codes.

The Federal Communications Commission's enforcement bureau had spent the past year investigating AT&T call-center employees in Mexico, who they say collected customer information to sell to outsiders — "unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock."

The FCC had alleged that AT&T's breaches resulted in the leak of information about almost 280,000 U.S. customers, including partial Social Security numbers and other "accounted-related data."

While stolen phones protected by passcodes are hard to sell, unlocked phones easily find buyers in secondary markets all over the world. Buzzfeed reporter Matt Stopera chronicled his adventures of meeting a man in China who had received Stopera's stolen iPhone as a gift.

At AT&T, only three employees in Mexico managed to obtain private customer information for more than 68,000 customer accounts. That data was then used to contact AT&T with 290,803 requests to unlock cell phones. The FCC's investigation turned up further evidence of breaches in Colombia and the Philippines, where it alleges another 211,000 customer accounts had been accessed.

An FCC spokesperson said its investigation into the breach was based on reports from AT&T, which are required if a carrier suspects a breach. The FCC did not have information about the kind of phones that had been unlocked.

“As the nation's expert agency on communications networks, the commission cannot — and will not —stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC chairman Tom Wheeler said in a statement.

AT&T, which now must hire a compliance manager due to its agreement with the FCC, released a statement concerning the settlement:

Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.

AT&T said it will notify customers affected by the breach, and offer a year of credit-monitoring services for them.