Pair of call centre staff sold on data to mysterious ‘El Pelon’.
AT&T has agreed to pay a $25m (£16.8m) civil penalty to settle a series of data breaches that affected 280,000 of its customers.
The attacks on the telecoms firm took place between 2013 and 2014 at its call centres in Mexico, the Philippines and Columbia, which were serving American customers.
Tom Wheeler, chairman of the US Federal Communications Commission (FCC), said: "As the nation’s expert agency on communications networks, the commission cannot – and will not – stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.
"As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers."
According to the FCC at least two AT&T staff were believed to have sold information to a third-party, known to the pair as "El Pelon".
The leakage led to more than 50,000 being used to place unlock requests through AT&T’s request portal, facilitating the trafficking of stolen mobile phones.
Under the deal AT&T must pay the fine within a month, and must also notify the customers who have been affected by the breach and take steps to improve its security.
In a statement it said: "We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information."
Meanwhile the FCC, which AT&T must now submit regular compliance reports to, will continue to investigate in a bid to establish whether more people have been affected.