AT&T to pay $13 million FCC settlement for 2023 data breach

AT&T has agreed to pay $13 million to resolve a Federal Communications Commission (FCC) investigation into whether the telecom giant was adequately protecting customer data. 

The investigation centered on a January 2023 incident where hackers infiltrated the cloud environment of an AT&T vendor and stole troves of customer information. The FCC was looking into whether AT&T did enough to stop the attack and more generally keep customer data safe.

AT&T — which reported nearly $30 billion in earnings last quarter — agreed to the $13 million settlement and entered into a consent decree that forces the company to “strengthen” its data governance practices, “increase its supply chain integrity” and ensure that there are procedures around the handling of sensitive data. 

FCC Chairwoman Jessica Rosenworcel said the Communications Act outlines that carriers like AT&T “have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches.” 

“Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

An AT&T spokesperson said the company began notifying victims of the incident in March 2023 and the information stolen included the number of lines on one account. The data pertained to wireless customers, the company added. 

FCC Enforcement Bureau Chief Loyaan Egal added that service providers have a duty to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data.

The consent decree requires AT&T to create a data inventory program that tracks customer data, implement more vendor controls or oversight, create an information security program, conduct annual compliance audits and mandate that vendors “adhere to retention and disposal obligations.” 

The FCC argued that given AT&T’s size, the company will have to spend more to comply with the consent decree than they did on the civil penalty

“The Commission will hold AT&T accountable for making these mandatory changes to its data protection practices as required to comply with this Consent Decree and the Communications Act going forward,” the FCC explained. 

The AT&T vendor that was breached created and hosted personalized video content for the company’s customers, building out billing and marketing videos. 

As part of its contract with AT&T, the vendor was supposed to destroy or return any customer information that was provided to them but the telecom failed to verify whether this was done. 

Rosenworcel and the FCC have focused on the cybersecurity practices of telecommunications giants in recent years, warning that the ever-expanding caches of information collected by the companies made it increasingly important for them to improve their cybersecurity practices. 

A 2023 data protection task force at the FCC secured similar consent agreements with Verizon in July. 

Around that time, it was also revealed that AT&T paid a ransom to hackers who obtained metadata from “nearly all” call logs and texts made by AT&T customers over a six-month period in 2022 – affecting about 109 million people. 

That incident came after another cyberattack where the information of 73 million current and former customers was stolen.