AT&T agreed to pay $25 million to settle a federal complaint that it allowed Social Security numbers and other personal information of almost 280,000 subscribers to be stolen by call center contractors in Mexico, Colombia and the Philippines.
AT&T call center contractors collected personal information of 68,000 subscribers from November 2013 to April 2014, Federal Communications Commission investors said in a complaint released Wednesday. Spanish-speaking subscribers were most likely affected, senior FCC officials said, because the data breaches occurred at call centers devoted to helping those consumers.
The data, which included names and partial Social Security numbers, was used by scammers to submit nearly 300,000 requests to unlock cellphones. While investigating the data breach, FCC officials discovered similar intrusions in Colombia and the Philippines which exposed the personal information of an additional 211,000 subscribers.
While AT&T acknowledged some limited data breaches in its Mexico call center in 2014 through filings with California and Vermont regulators, the scope of the information theft is much broader than originally known. Similar breaches in Colombia and the Philippines were discovered later and haven’t been previously publicly disclosed.
“While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers,” AT&T said in a statement. “Instead, our investigation suggests that the improperly accessed information was used to get codes that allow phones programmed for the AT&T network to be used on other networks.”
Thousands of Americans who may have had their Social Security information stolen in late 2013 may only find out about it in the coming weeks because there is no uniform standard in the U.S. for notifying consumers when their private data has been stolen.
Congress has debated a national data breach notification law but has as yet been unable to pass such legislation. Currently, 47 states have data breach notification laws, but they have different standards. For instance, New Mexico, Alabama and South Dakota do not currently require companies to notify consumers when data breaches occur.
AT&T will notify subscribers by mail if their data was stolen and will be required to offer one year of free credit monitoring.
This article originally appeared on Recode.net.