AT&T has been fined $25 million by the US Federal Communications Commission (FCC) following an investigation into consumer privacy violations at AT&T’s call centres in Mexico, Colombia, and the Philippines, involving the unauthorised disclosure of almost 280,000 US customers’ details.

This is the FCC’s largest privacy and data security enforcement action to date, the authority said in a statement.

The data included social security numbers and unauthorised access to protected account-related data, known as customer proprietary network information (CPNI).

AT&T will have to notify all customers whose accounts were improperly accessed and pay for credit monitoring services to those affected by the breaches in Colombia and the Philippines.

According to an investigation by the FCC’s Enforcement Bureau, employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.

“The Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler.

AT&T will now be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, regularly train employees on the company’s privacy policies and will file regular compliance reports with the FCC, among other measures.

According to Robert Cattanach is a partner at the international law firm Dorsey & Whitney, the breaches “calls into question the integrity of call centres outside of the US.  The fact that an initial breach was discovered in Mexico, followed by subsequent discoveries in Columbia and the Philippines, suggests AT&T may have a more serious systemic vulnerability rather than a one-off hack.”

The settlement also “ups the ante for such breaches, with a fine two and a half times the previous largest penalty imposed,” he added.

The Commission said it has taken five major enforcement actions in the last year to protect consumer privacy and data security. This includes a $2.9 million fine against Dialing Services for violating Commission rules that seek to protect consumers from “harassing, intrusive, and unwanted robocalls” to mobile devices and a $7.5 million settlement with Sprint to resolve an investigation into Sprint’s failure to honour consumers’ do-not call or do-not-text requests.

The FCC also wants to change government rules for frequency auctions so that big companies cannot use a discount programme actually meant for small businesses.