“El Pelón”: Sunburned, running free, and mighty happy AT&T call center workers were happy to oblige requests for private customer information.

The Federal Communications Commission has fined AT&T $25 million after an investigation revealed AT&T customer service call center employees sold private, personal information regarding nearly 280,000 AT&T wireless customers to a shadowy figure or group known as “El Pelón,” which translates as a “bald man.”

During 2013 and 2014, employees in call centers in Mexico, Colombia and the Philippines sold customer information to third parties, presumably to help them reactivate stolen cell phones using the original owner’s contact information and at least the last four digits of the customer’s Social Security number.

When El Pelón called, more than a few AT&T employees listened and on request looked up the cell numbers given and provided customer information in return. A short time later, someone accessed AT&T’s website to submit unlock requests for the phone(s) associated with the account. Once unlocked, the phones could be sold almost anywhere around the world.

The investigation by the FCC’s Enforcement Bureau began in May 2014 after three call center employees in Mexico accessed the private information of more than 68,000 AT&T Wireless customers. That information soon led to 290,803 handset unlock requests submitted by third parties.

AT&T then learned around 40 other employees in its Colombia and Philippines call centers were also providing private customer information in return for compensation. Another 211,000 customer records were involved in those data breaches.

In return for its lax security, the FCC has handed AT&T a record-breaking fine of $25 million, and ordered AT&T to beef up security and give affected customers access to a credit monitoring service for a few years.

“The commission cannot — and will not —stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC chairman Tom Wheeler said. “As today’s action demonstrates, the commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”

AT&T has 30 days to pay or contest the fine. The FCC admits it still has no clear idea from AT&T exactly how many customers were victims of the ongoing data breaches. But AT&T promised to do better in the future.

“We’ve changed our policies and strengthened our operations,” AT&T said in a statement. “And we have, or are, reaching out to affected customers to provide additional information.”