AT&T has agreed to pay $13 million to settle a Federal Communications Commission (FCC) investigation into a data breach that affected 8.9 million customers. The breach occurred in January 2023 and was traced back to a third-party cloud vendor used by AT&T. The compromised data included sensitive customer information such as the number of lines on accounts, bill balances, and rate plan details.
However, it did not include credit card information, social security numbers, or account passwords. The FCC found that AT&T had shared customer data with the vendor for marketing, billing, and personalized video content services. The contract required strict data protection and disposal, but data that should have been deleted in 2017 or 2018 was stolen during the breach.
As part of the settlement, AT&T has agreed to strengthen its data governance practices and pay the $13 million fine. FCC Chairwoman Jessica Rosenworcel emphasized that carriers have a duty to protect consumer data privacy and security, especially in the digital age.
AT&T settles over data breach
AT&T began notifying affected customers in March 2023 and stated that its own systems were not compromised. The company is making enhancements to its internal customer information management and implementing new requirements for vendors’ data management practices. The settlement concludes the FCC’s investigation into the January 2023 breach, but the agency is still examining an additional incident revealed in July.
In that case, hackers accessed six months’ worth of phone and text messages from many AT&T customers through an attack on the third-party cloud platform, Snowflake. AT&T spokesperson Alexander Byers said, “Protecting our customers’ data remains one of our top priorities. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”
The consent decree with the government requires AT&T to conduct annual compliance audits, develop a comprehensive information security program, provide stricter oversight of third-party vendors, and better track shared information.
FCC Enforcement Bureau Chief Loyaan Egal, speaking at the Forum Global Annual Data Privacy Conference in Washington D.C., stressed the importance of scrutinizing how companies manage customer data throughout their supply chains. As we investigate these data breaches, we are looking closely at vendor locations, data retention, and overall data management practices,” he said. The settlement serves as a reminder for companies to prioritize data protection and closely monitor their third-party vendors’ data management practices to prevent similar breaches in the future.
