AT&T has agreed to pay $13 million to settle a federal investigation into a major data breach that exposed personal information of nearly nine million wireless customers, the Federal Communications Commission (FCC) announced on Tuesday (September 17).
AT&T Settles Data Breach Probe
The investigation focused on how the telecommunications giant's privacy, cybersecurity, and vendor management practices may have contributed to the breach, which occurred in January 2023. Hackers infiltrated AT&T's cloud system, compromising sensitive customer data that should have been deleted years earlier.
The breach involved a third-party vendor that AT&T had hired to store customer data, but the FCC revealed that this data-mostly from 2015 to 2017-was still being retained when the attack occurred.
The exposed information included customer account details, such as the number of phone lines on accounts and some billing information. Fortunately, no highly sensitive data like bank details, Social Security numbers, or account passwords were compromised in the attack, according to CBS News.
As part of the settlement with the FCC, AT&T entered into a consent decree that mandates the company to improve its data governance and increase supply chain oversight. Specifically, AT&T must now ensure it has more stringent processes in place for handling sensitive customer information and that its third-party vendors follow strict data protection protocols.
Additionally, the company has committed to enhancing its internal procedures to better manage customer data and reduce risks from potential future breaches.
FCC Chairwoman Jessica Rosenworcel emphasized the importance of companies like AT&T taking responsibility for protecting customer data.
"The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches," she said in a statement.
The FCC's Enforcement Bureau Chief, Loyaan A. Egal, reinforced this point, noting that telecommunications companies are obligated to reduce vulnerabilities that hackers can exploit.
AT&T Security Scandals
This isn't the first time AT&T has faced significant data security issues. In fact, the company has been the victim of multiple breaches. Earlier in 2023, AT&T disclosed that a separate data breach had occurred in April, which allowed hackers to gain access to call and text records of nearly all its wireless customers.
The breach spanned six months, from May to October 2022. Furthermore, AT&T had experienced another major cyberattack in March, which resulted in the exposure of the Social Security numbers and account passcodes of 73 million customers.
A spokesperson for the company also clarified that, while AT&T's systems were not directly compromised in the January 2023 incident, the breach occurred at a vendor they had previously used. To prevent future incidents, the company has since implemented stronger requirements for how its vendors manage and protect customer data.
The $13 million settlement with the FCC is intended not only to penalize AT&T but also to serve as a warning to other companies that handle large amounts of consumer data. The FCC hopes this case underscores the growing need for strong cybersecurity measures as cyberattacks become more frequent and more sophisticated.