Between approximately November 2013 and April 2014, employees at AT&T’s outsourced call centers in Colombia, Mexico, and the Philippines improperly accessed records of approximately 280,000 U.S. customers and provided their names and full or partial Social Security numbers to unauthorized third parties. The third parties used this data to submit fraudulent unlock requests for AT&T mobile devices, enabling phones to be used with other carriers. AT&T became aware of some employee misconduct and terminated the employees, but failed to adequately notify affected customers promptly. The FCC launched an investigation and in April 2015 announced a $25 million settlement — the largest FCC data security enforcement action at that time. AT&T was required to notify all affected customers, appoint a compliance manager, conduct employee training, and improve its data security practices. The incident highlighted the risks of sharing sensitive customer data with outsourced service providers and demonstrated that carriers’ CPNI (Customer Proprietary Network Information) protections must extend to their contractors.