Verizon Communications Inc., AT&T Inc. and Sprint Corp. will no longer sell customer data to third-party data brokers after an investigation revealed such data had been leaked.

The investigation found that California-based brokers LocationSmart and Zumigo had sold the location data of millions of Americans to their own corporate customers, making it possible to pinpoint the location of users’ devices.

In a letter to the Federal Communications Commission Ajit Pai, Senator Ron Wyden wrote about the “abusive and potentially unlawful practices of wireless carriers,” stating that at least one company had been providing location data of carriers without their consent.

One such company was Securus Technologies, a provider of prison telephone services, which according to the investigation had been providing the government with easy access to user data. “This practice skirts wireless carrier’s legal obligation to be the sole conduit by which the government conducts surveillance of Americans’ phone records, and needlessly exposes millions of Americans to potential abuse and surveillance by the government,” Widen said.

Verizon was the first company to say it was looking into any possible abuse, stating in a letter to Wyden that though there can be good reasons for location detection such as spotting fraud, this entails user consent. Verizon then said it had ended its contract with LocationSmart and Zumigo after it found those companies had indeed been giving data to law enforcement via their customers without the carriers’ customers knowing anything about it.

“Verizon did the responsible thing,” Wyden said in a statement on Tuesday. “In contrast, AT&T, T-Mobile and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.”

But AT&T soon followed suit, writing in a statement that “we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.”

In a statement, Sprint said it was “beginning the process of terminating its current contracts with data aggregators to whom we provide location data.” The company added, “This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services.”

T-Mobile Inc. Chief Executive Officer John Legere was less formal, tweeting that his company did “not to sell customer location data to shady middlemen.”

This all comes at a particularly worrisome time for U.S. citizens, following the massive Facebook Inc. data breach, let alone Monday’s news regarding facial recognition technology being sold to the government by companies. All this only adds to fears that privacy is under attack.

Image: Daniel Flathagen via Flickr