AT&T has already agreed to pay $25 million to settle the complaint. The carrier will likely alert thousands of its U.S. customers who may have been affected in the next few weeks.
The data was stolen from call centers that specialized in helping Spanish-speaking customers.
Hackers used the stolen (partial) Social Security numbers and other data to attempt to unlock the personal cell phones of AT&T subscribers, the FCC complaint states.
“We hold ourselves and our vendors to a high standard,” AT&T said in an email to VentureBeat Wednesday. “Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate.”
“We’ve changed our policies and strengthened our operations,” the email reads. “And we have, or are, reaching out to affected customers to provide additional information.”
AT&T had admitted in regulatory filings to the state of California and Mexico that data had been breached, but the breadth of the data that was compromised is much wider than previously known.
“While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers,” AT&T said in another statement.
“Instead, our investigation suggests that the improperly accessed information was used to get codes that allow phones programmed for the AT&T network to be used on other networks,” the carrier said.
AT&T will be required to offer a year of free credit monitoring to subscribers who were victimized.