AT&T has agreed to a $13 million settlement with the Federal Communications Commission (FCC) to resolve issues stemming from a data breach that exposed AT&T customers’ personal information.
The breach occurred in January 2023 when an AT&T vendor suffered a breach of its cloud environment. The FCC said the exposed data was old and should have been deleted or returned to AT&T long ago.
AT&T used the vendor to generate and host personalized video content, including billing and marketing videos, for AT&T customers.
According to the FCC complaint, AT&T failed to ensure the vendor: (1) adequately protected the customer information, and (2) returned or destroyed it as required by contract.
In January 2023, hackers were able to penetrate the vendor’s cloud system and access the information. The resulting investigation examined whether AT&T failed to protect customer information and engaged in unreasonable privacy, cybersecurity, and vendor management practices in connection with the breach.
To resolve the investigation, AT&T entered into a Consent Decree that also commits to beefing up security practices to increase its supply chain integrity and ensure appropriate processes and procedures are incorporated into AT&T’s business practices.
‘Duty to protect privacy’
“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said FCC Chairwoman Jessica Rosenworcel. “Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”
Under the terms of the consent decree, AT&T is committed to:
• Enhance tracking of customer data as part of a data inventory program
• Requiring vendors to adhere to retention and disposal obligations
• Implementing multifaceted vendor controls and oversight
• Implementing a comprehensive Information Security Program to include broad customer data protections
• Conducting annual compliance audits
The FCC did not say whether any of the $13 million would be used to compensate victims of the breach.