AT&T has agreed to a $13 million settlement with the Federal Communications Commission (FCC) after a data breach exposed sensitive information of approximately 9 million customers. The breach in January 2023 resulted from the telecommunications company’s failure to enforce contractual obligations with a third-party cloud vendor, which mishandled customer data as early as 2015.
The data breach involved a vendor AT&T contracted to provide personalized video content, including billing and marketing materials. During this incident, hackers gained access to customer data, which included customer proprietary network information (CPNI). This type of data encompasses details like the number of phone lines on a customer’s account, phone numbers, and email addresses, but does not include highly sensitive information such as Social Security numbers, credit card information, or passwords. AT&T had previously stipulated that the vendor should return or destroy all customer data once the contract ended, but the company failed to monitor whether the vendor complied, leaving the data vulnerable.
FCC investigation into AT&T data breach
The FCC launched an investigation following the breach, scrutinizing AT&T’s handling of customer data and whether it ensured proper protection through its supply chain. The investigation revealed that the vendor failed to destroy the data when it was no longer required. As a result, AT&T was found responsible for inadequate oversight, which allowed the breach to occur.
A consent decree resolving this investigation requires AT&T to pay $13 million and to strengthen its data governance practices, the FCC said in a Tuesday (Sept. 17) press release.
“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” FCC Chairwoman Jessica Rosenworcel said in the release. “Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”
Moving forward, the company will implement a comprehensive information security program that includes vendor management improvements, customer data protection enhancements, and stricter compliance audits.
One critical aspect of this settlement is that AT&T Mobility customers affected by the breach will not need to provide proof to receive compensation. The company already has the affected individuals on file, and it will likely notify eligible customers directly about their compensation options.
AT&T’s commitment to data security
Although AT&T has not admitted any wrongdoing, it has committed to making improvements to its data management practices. In a statement, the company emphasized that “protecting our customers’ data remains one of our top priorities,” while also acknowledging that although its systems were not compromised, its vendor’s failure led to the breach. AT&T has pledged to enforce stricter data security measures with its vendors in the future, ensuring similar breaches are prevented.
“Protecting our customers’ data remains one of our top priorities,” the AT&T statement said. “A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, and implementing new requirements on our vendors’ data management practices.”
Other recent breaches
This breach is part of a wider trend of data vulnerabilities at AT&T. In July 2024, another breach exposed the call logs of 109 million customers from AT&T’s Snowflake cloud database. This incident compromised metadata, including phone numbers, call durations, and the number of texts or calls made, but did not expose the actual content of communications or personally identifiable information.
