AT&T has agreed to a $13 million settlement following a 2023 data breach that affected millions of customers.
At a Glance
- AT&T will pay $13 million to 8.9 million customers affected by a data breach.
- The breach was investigated by the FCC, which held AT&T accountable.
- The breach was traced back to a third-party cloud vendor.
- Exposed data included account details but not sensitive information like credit card numbers.
Settlement and FCC Investigation
AT&T has agreed to pay $13 million to 8.9 million customers affected by a data breach that occurred in January 2023. The breach compromised customer data from 2015 to 2017, which should have been deleted by 2018. The FCC investigated the breach and determined AT&T’s responsibility, resulting in the fine.
The Federal Communications Commission emphasized the need for telecom companies to protect consumer data. FCC Chairwoman Jessica Rosenworcel stated, “The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches.”
The breach occurred through a third-party cloud vendor, not AT&T’s own systems. The vendor was responsible for generating personalized video content and billing information. Data that should have been returned or destroyed years ago was reportedly retained, leading to the unauthorized access. FCC Enforcement Bureau Chief Loyaan A. Egal emphasized, “Telecom firms have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data.”
Impact on Customers and Industry
The compromised data included account details such as the number of lines, bill balance, and rate plan information. However, no credit card numbers, social security numbers, or account credentials were exposed. Despite this, the breach has raised concerns about data security in the telecommunications industry.
AT&T stated, “Protecting our customers’ data remains one of our top priorities.”
The breach has underscored the need for stronger data governance and security measures. AT&T has committed to enhancing its security protocols and has signed a Consent Decree to strengthen data governance practices. This includes implementing a data inventory program, enhancing vendor controls, creating an information security program, conducting annual audits, and enforcing data retention and disposal obligations.
AT&T to pay $13 million over 2023 vendor data breach https://t.co/lOtBhq0sez
— ABC10 (@ABC10) September 18, 2024
FCC’s Role and Future Implications
The FCC is holding AT&T accountable for making significant investments in data protection. The telecommunications industry was a top target for hackers last year, with over 80% of breaches having to do with cloud-stored data. The FCC fined AT&T $57 million in April for similar failures to protect customer data, signaling a broader focus on cybersecurity practices within the industry.
AT&T has not confirmed whether it will notify affected customers or set up a website where they can check their eligibility for the payout. The FCC noted that AT&T would need to spend more on compliance measures than the $13 million civil penalty as part of the settlement. This case highlights the ongoing need for robust cybersecurity measures and vigilant regulatory oversight to protect consumer data in an increasingly digital world.
Sources
- AT&T to pay $13 million to settle FCC probe over cloud data breach
- AT&T to pay out $13m over hack that affected millions – here’s how you can claim
- AT&T to pay millions over 2023 data breach
- AT&T to pay $13 million over 2023 customer data breach
