AT&T has agreed to a $13 million settlement after mishandling customer data, which led to a significant data breach. The Federal Communications Commission (FCC) announced the penalty and new regulatory requirements, aimed at strengthening AT&T’s data management practices.
The breach, which came to light in January 2023, was traced back to a failure by one of AT&T’s vendors. Cybercriminals accessed the vendor’s cloud storage and extracted customer data that should have been destroyed years earlier. The exposed information affected around 8.9 million AT&T wireless customers, revealing details such as billing information and account balances.
AT&T had provided this data to the vendor from 2015 to 2017 for creating personalized video content. According to the agreement, the vendor was supposed to destroy or return the data once the project ended. The FCC found that AT&T did not ensure compliance with these terms, resulting in the data remaining in storage and being compromised.
FCC Chairwoman Jessica Rosenworcel emphasized the role of carriers in safeguarding consumer data. “The Communications Act makes it clear that carriers are responsible for protecting consumer privacy. Given the current digital threats, carriers need to adopt rigorous security measures,” she stated.
Legal and Financial Repercussions
The FCC’s ruling requires AT&T to overhaul its data security protocols and vendor management practices. This includes stricter controls over data handling, ensuring vendors meet destruction requirements, and implementing annual compliance audits. The decree demands that AT&T enhances its tracking systems for customer data and limits how much data vendors can access.
While AT&T insists that the breach did not involve highly sensitive data like credit card numbers or Social Security details, it still compromised personal information such as account balances and payment records. The company reported the breach to affected customers in March 2023 and found no evidence of fraud linked to the incident.
Enhancing Security Measures
In response to the settlement, AT&T is committed to significant improvements in its data security systems. The company will introduce new measures to better track and manage customer data shared with vendors. Additionally, AT&T will create a data inventory program to ensure compliance and mitigate future risks.
AT&T acknowledged the incident but highlighted that its systems were not breached. “A vendor we used faced a security issue last year, affecting some of our customers’ data. Although our systems were secure, we’re updating our internal processes and strengthening vendor requirements,” AT&T said.
Accountability and Future Prevention
The FCC’s investigation revealed that AT&T’s vendor, termed “Vendor X,” subcontracted another company, “Supplier 1.” Despite AT&T’s periodic reviews of both entities, the data was not properly disposed of, leading to the breach. The FCC criticized AT&T for failing to enforce the data destruction protocols effectively.
The consent decree requires AT&T to adopt stricter data governance practices and invest significantly in vendor oversight and data security. These obligations will be in effect for three years, with the FCC closely monitoring compliance.
The FCC noted that the cost of implementing these new requirements could far exceed the $13 million fine. “Given AT&T’s extensive use of vendors and its large customer base, meeting these new standards will likely involve substantial expenses beyond the civil penalty,” the FCC stated.
Ongoing Concerns
This breach is not AT&T’s first data management issue involving third-party vendors. In July 2024, the company revealed another breach that exposed call and text records for nearly all of its cellular customers, leading to scrutiny over its data storage practices.
Despite the financial penalty and new oversight, AT&T remains financially robust, with $29.8 billion in revenue and $3.9 billion in net income reported for Q2 2024. The FCC’s actions underscore the growing importance of stringent data protection measures in the telecommunications industry, reflecting the ongoing challenge of safeguarding personal information in the digital age.