In January 2023 [1] [2] [4] [5] [7] [8], a breach of a third-party vendor’s cloud system exposed data from nearly 9 million AT&T Mobility customers, resulting in a $13 million settlement with the FCC [5].
Description
The breach compromised customer account details [5], including billing and marketing videos [3], line counts [3], bill balances [3], and rate plan information from 2015 to 2017. Sensitive information like credit card numbers or Social Security numbers was not included in the breach. AT&T reported the breach to the vendor in January 2023 and to the government in February of the same year. The FCC found that AT&T failed to ensure the vendor adequately protected the customer information and did not return or destroy it as required by contract [8]. As part of the settlement [1] [4] [5] [6] [8], AT&T will enhance its data governance and supply chain integrity practices [1], including implementing a comprehensive information security program and conducting annual compliance audits [1]. FCC Chairwoman Jessica Rosenworcel emphasized carriers’ duty to protect consumer data in the digital age [1] [4], while FCC Enforcement Bureau chief Loyaan Egal emphasized the obligation of communications service providers to protect customer data [1]. AT&T entered into a consent decree as part of the settlement. Additionally, AT&T disclosed a subsequent cyberattack in April [4], exposing text and call records of cellular customers [4]. AT&T stated that protecting customer data is a top priority and is implementing enhancements to manage customer information internally and with vendors [4]. The settlement with the FCC addresses violations related to the breach, including AT&T’s failure to protect customer proprietary information and improper disclosure of customer data without approval [7].
Conclusion
The breach of customer data highlights the importance of robust data protection measures and vendor oversight. AT&T’s settlement with the FCC underscores the need for companies to prioritize data security and compliance with regulations. Moving forward, AT&T’s commitment to enhancing its data governance and supply chain integrity practices will be crucial in maintaining customer trust and safeguarding sensitive information.
References
[1] https://www.infosecurity-magazine.com/news/att-13m-fcc-settlement-cloud-data/
[2] https://cyberscoop.com/att-agrees-to-13-million-dollar-fcc-fine/
[3] https://arstechnica.com/tech-policy/2024/09/att-fined-13m-for-data-breach-after-giving-customer-bill-info-to-vendor/
[4] https://www.cbsnews.com/news/att-to-pay-13-million-customer-data-breach/
[5] https://www.crn.com/news/security/2024/at-t-will-pay-13-million-in-fcc-settlement-over-third-party-breach
[6] https://finance.yahoo.com/news/t-agrees-pay-13-million-173510900.html
[7] https://insidecybersecurity.com/daily-news/fcc-reaches-settlement-att-over-data-breach-vendor-cloud-environment
[8] https://www.theverge.com/2024/9/17/24247549/at-t-will-pay-the-fcc-13-million-to-settle-a-hacking-investigation
