AT&T has agreed to a $13 million settlement with the Federal Communications Commission (FCC) following a data breach in January 2023 that compromised customer information. The breach presumably occurred through a cloud vendor, resulting in the exposing of sensitive customer data dating from 2015 to 2017.
The settlement stems from an FCC investigation into whether AT&T had proper vendor oversight and safeguards to protect the data of its 8.9 million affected wireless customers. The breached vendor created personalized billing and marketing videos for AT&T customers. Under its contract, the vendor was required to destroy or return customer data, but the FCC charged that AT&T failed to confirm this happened.
As part of the settlement’s consent decree, AT&T must enhance its data governance and vendor oversight, implement a comprehensive data inventory program, and conduct annual security audits.
Why It Matters: The settlement reinforces the growing scrutiny on telecom companies to protect consumer data as cyberattacks become more frequent. With vast amounts of sensitive information on the line, companies like AT&T must not only bolster their own security measures but also ensure that their vendors comply with strict data protection standards, forging a stronger, more unified defense against potential breaches.
- Vendor Data Breach: The January 2023 breach involved an AT&T vendor responsible for creating marketing and billing videos. Hackers accessed customer data that reportedly should have been deleted years earlier, exposing information such as account details and rate plan data from 8.9 million wireless customers.
- FCC Investigation and Consent Decree: The FCC determined that AT&T had failed to adequately protect customer data, leading to the $13 million settlement. As part of the consent decree, AT&T must improve its data governance, vendor oversight, and security practices.
- Data Security Enhancements: AT&T will implement several security measures, including a data inventory program, increased vendor controls, and annual compliance audits. The FCC emphasized the need for carriers to protect sensitive data in an increasingly digital world.
- Ongoing Cybersecurity Concerns: This breach is not AT&T’s only recent security issue. A larger breach in April 2023 resulted in hackers accessing the call logs and text metadata of 109 million customers, highlighting the persistent cybersecurity risks in the telecom sector.
Go Deeper -> AT&T to Pay $13 Million Over 2023 Customer Data Breach – Reuters
AT&T to Pay $13 Million FCC Settlement for 2023 Data Breach – The Record