In Short:
AT&T will pay $13 million to settle a data breach investigation that affected 8.9 million wireless customers in January 2023. The FCC found that AT&T failed to protect customer information, which should have been deleted. Although the breach didn’t expose sensitive data like credit card or Social Security numbers, AT&T plans to improve data management practices to prevent future issues.
By David Shepardson
Investigation and Settlement
AT&T has reached an agreement to pay $13 million to settle an investigation related to a data breach involving a cloud vendor that occurred in January 2023. The incident affected approximately 8.9 million wireless customers, as stated by the Federal Communications Commission (FCC).
Details of the Breach
The FCC confirmed that the settlement would resolve its inquiry into whether AT&T failed to adequately protect customer information. As part of the agreement, AT&T has committed to enhancing its data governance practices to ensure better integrity within its supply chain regarding sensitive data management. This is aimed at safeguarding consumers against similar breaches in the future.
The exposed data, which dated back to customers from 2015 to 2017, should have been deleted by 2017 or 2018. It included account details such as the number of lines and, in some cases, bill balances and rate plan information. However, it is important to note that the breach did not compromise credit card information, Social Security numbers, passwords, or other sensitive personal data, according to both AT&T and the FCC.
Company Response
AT&T indicated that the breach was a result of a hacking incident experienced by a third-party vendor. The company emphasized that its own systems were not compromised during this event. In response, AT&T plans to improve its management of customer information and enforce stricter data management protocols with its vendors.
Regulatory Oversight
FCC Chair Jessica Rosenworcel stated that carriers are responsible for protecting consumer data privacy and security, a responsibility which takes on heightened significance in the context of data breaches in the digital age.
Additional Investigations
The FCC is currently investigating a more extensive data breach associated with AT&T, disclosed in July. This incident, which occurred in April, involved the illegal downloading of approximately 109 million customer accounts. Details revealed that call logs covering about six months of customer call and text data from 2022 were accessed from a Snowflake cloud platform.
