AT&T to pay $13 million FCC settlement for 2023 data breach

Avatar

AT&T has agreed to pay $13 million to resolve a Federal Communications Commission (FCC) investigation into whether the telecom giant was adequately protecting customer data. 

The investigation centered on a January 2023 incident where hackers infiltrated the cloud environment of an AT&T vendor and stole troves of customer information. The FCC was looking into whether AT&T did enough to stop the attack and more generally keep customer data safe.

AT&T — which reported nearly $30 billion in earnings last quarter — agreed to the $13 million settlement and entered into a consent decree that forces the company to “strengthen” its data governance practices, “increase its supply chain integrity” and ensure that there are procedures around the handling of sensitive data. 

FCC Chairwoman Jessica Rosenworcel said the Communications Act outlines that carriers like AT&T “have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches.” 

“Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

An AT&T spokesperson said the company began notifying victims of the incident in March 2023 and the information stolen included the number of lines on one account. The data pertained to wireless customers, the company added. 

FCC Enforcement Bureau Chief Loyaan Egal added that service providers have a duty to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data.

The consent decree requires AT&T to create a data inventory program that tracks customer data, implement more vendor controls or oversight, create an information security program, conduct annual compliance audits and mandate that vendors “adhere to retention and disposal obligations.” 

The FCC argued that given AT&T’s size, the company will have to spend more to comply with the consent decree than they did on the civil penalty

“The Commission will hold AT&T accountable for making these mandatory changes to its data protection practices as required to comply with this Consent Decree and the Communications Act going forward,” the FCC explained. 

The AT&T vendor that was breached created and hosted personalized video content for the company’s customers, building out billing and marketing videos. 

As part of its contract with AT&T, the vendor was supposed to destroy or return any customer information that was provided to them but the telecom failed to verify whether this was done. 

Rosenworcel and the FCC have focused on the cybersecurity practices of telecommunications giants in recent years, warning that the ever-expanding caches of information collected by the companies made it increasingly important for them to improve their cybersecurity practices. 

A 2023 data protection task force at the FCC secured similar consent agreements with Verizon in July

Around that time, it was also revealed that AT&T paid a ransom to hackers who obtained metadata from “nearly all” call logs and texts made by AT&T customers over a six-month period in 2022 – affecting about 109 million people

That incident came after another cyberattack where the information of 73 million current and former customers was stolen.

CybercrimeGovernmentIndustryNewsNews BriefsPrivacy
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense

Next Post

Construction companies potentially vulnerable through accounting software, report says

Related Posts

Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code. The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket,
Avatar
Read More