AT&T Settles Data Breach Investigation with $13 Million Payment
AT&T has reached a settlement with the Federal Communications Commission (FCC) following an investigation into a data breach that exposed the information of millions of its customers. The breach, which occurred in January 2023, was traced back to an unidentified vendor previously used by AT&T. As a result, data collected from 8.9 million AT&T customers was compromised.
The FCC announced on September 17 that AT&T has agreed to pay $13 million to resolve the investigation. The settlement focuses on AT&T’s supply chain integrity and whether the company failed to adequately protect its customers’ information in connection with the breach. Loyaan Egal, chief of the Enforcement Bureau and chair of the FCC’s privacy and data protection task force, emphasized the importance of responsible data management, stating, “Today’s announcement should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data.”
The FCC alleged that AT&T failed to ensure the vendor properly protected customer information and did not verify that the data had been returned or destroyed as required by their contracts. However, both AT&T and the FCC confirmed that sensitive information such as credit card numbers, Social Security numbers, and account passwords were not compromised in the breach. The exposed information primarily included details about customers’ accounts, such as the number of lines and billing balances.
As part of the settlement, AT&T has committed to enhancing its data governance practices and strengthening its oversight of vendors. The company will implement a comprehensive information security program to protect customer data, improve tracking of customer information through a new inventory system, and enforce stricter data retention and disposal obligations for its vendors. AT&T will also introduce multifaceted vendor controls, conduct annual compliance audits, and limit vendor access to sensitive information to only what is necessary for business operations.
An AT&T spokesperson emphasized the company’s dedication to protecting customer data, stating, “Protecting our customers’ data remains one of our top priorities.” The spokesperson acknowledged the security incident involving the vendor and assured that AT&T’s systems were not compromised. However, the incident prompted the company to make internal improvements in managing customer information and implement new requirements for vendors’ data management practices.
In a separate incident unrelated to the vendor breach, AT&T disclosed in July that customer data had been illegally downloaded from a third-party cloud platform in April 2024. This breach affected nearly all AT&T cellular customers and included records of calls and texts from May to October 2022. AT&T confirmed that no personal information, such as Social Security numbers or message content, was compromised. The company has taken steps to secure the system and is cooperating with law enforcement.
These incidents highlight the ongoing challenges that companies face in safeguarding customer data. With cyber threats becoming increasingly sophisticated, it is crucial for organizations to prioritize data security and establish robust protocols for vendor management. AT&T’s settlement with the FCC serves as a reminder that service providers must be diligent in their efforts to protect customer information and hold their vendors accountable for data security. By implementing comprehensive information security programs and conducting regular audits, companies can enhance their data governance practices and minimize the risk of data breaches.