AT&T Will Pay $13 Million In FCC Settlement Over Third-Party Breach

The January 2023 breach of a vendor’s cloud environment led to the exposure of data from 8.9 million AT&T customers, according to the FCC.

AT&T will pay $13 million as part of a settlement with the Federal Communications Commission (FCC) over the 2013 cloud breach of a third-party vendor, which shouldn’t have been holding data from AT&T customers, the agency announced Tuesday.

The January 2023 breach—which affected an unidentified vendor previously used by AT&T—led to the exposure of data from 8.9 million customers of the telecom giant, according to the FCC.

“Under AT&T’s contracts, the vendor should have destroyed or returned AT&T customer information when no longer necessary to fulfill contractual obligations, which ended years before the breach occurred,” the FCC said in a news release announcing the settlement Tuesday.

AT&T “failed” to ensure that the vendor was protecting customer data and had either returned or destroyed the information, the agency said.

“Instead, it remained in the vendor’s cloud environment for many years,” the FCC said in its Consent Decree with AT&T.

The data—which had been shared with the third-party vendor between 2015 and 2017—was exposed during the January 2023 breach of the vendor’s cloud environment, according to the Consent Decree.

Compromised data included details such as the number of lines on a customer’s account — though credit card numbers, Social Security numbers and account passwords were not impacted, AT&T has said.

Along with the $13 million payment, AT&T has committed to making several changes to its processes as part of the settlement, which will resolve the FCC’s investigation into the incident, the agency said.

AT&T has committed to “strengthening its data governance practices to increase its supply chain integrity,” as well as working to “ensure appropriate processes and procedures” are followed when it comes to the handling of customer data, the FCC said.

In a statement provided to CRN Tuesday, AT&T said that “a vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers.”

“Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices,” the telecom giant said in the statement.

More recently, AT&T disclosed in July that records of phone and text messages for “nearly all” customers was exposed in a massive, unrelated data breach.