The Federal Communications Commission (FCC) has fined AT&T $25 million for a privacy breach after the personal information of hundreds of thousands of customers was stolen by the carrier’s own support representatives.

AT&T call center workers in Mexico, Colombia, and the Philippines were found to have taken the names and Social Security numbers of around 300,000 customers in the United States before selling it on to third parties.

“In Mexico, the information was gathered from November 2013 to April 2014, and sold to a third party who went by the alias El Pelón, referring to a bald man in Spanish,” reports The New York Times. Workers were asked to find the names and details corresponding to certain phone numbers that El Pelón had provided.

It’s thought the data was then used to try to activate stolen cellphones that were being imported into the country. More than 290,800 handset unlock requests were made through AT&T’s website using stolen customer information.

AT&T, which already ended its contract with the Mexican call center last September — four months after the FCC first began investigating the breach — said it has since changed its policies and strengthened operations.

“While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers,” the carrier added.

In addition to its $25 million fine, AT&T must notify all customers affected by the privacy breach and provide credit-monitoring services, The Times reports.

The investigations into call centers in Colombia and the Philippines are still ongoing. The data breaches there were not discovered until later, with AT&T first reporting them to the FCC this year.