On Wednesday, the Federal Communications Commission announced that AT&T would pay $25 million to settle an investigation into data breaches that occurred at the company’s call centers in Mexico, Colombia, and the Philippines. The FCC said that at least two employees confessed to stealing private information belonging to thousands of US customers, including names, full and partial social security numbers, and account-related data, known as customer proprietary network information (CPNI). CPNI data is usually found on a person’s phone bill and contains call metadata.
In all, the FCC estimates that almost 280,000 US customers were affected.
The commission also said that it had been looking into whether AT&T had promptly notified law enforcement regarding the theft of customers’ CPNI.
According to a consent decree between the FCC and AT&T (PDF), the commission began investigating the matter in May 2014 when it learned of a possible data breach that occurred between November 2013 and April 2014 at a Mexican call center that AT&T contracted with to provide Spanish-language customer support services.