AT&T to Pay $13 Million Settlement for Vendor-Related Data Breach
In January 2023, AT&T experienced a data breach that exposed the data of 8.9 million customers. The breach occurred due to the actions of an unidentified vendor previously used by AT&T. As a result, the Federal Communications Commission (FCC) launched an investigation into the breach, focusing on AT&T’s supply chain integrity and its responsibility to protect customer information.
On September 17, the FCC announced that AT&T had agreed to pay a $13 million settlement to resolve the investigation. The settlement signifies the FCC’s commitment to holding service providers accountable for their customers’ data. Loyaan Egal, Chief of the Enforcement Bureau and Chair of the FCC’s privacy and data protection task force, emphasized the importance of responsible custodianship of customer data in his statement.
The FCC alleged that AT&T had failed to ensure that the vendor adequately protected customer information and did not verify whether the vendor had returned or destroyed the data as required by their contracts. However, both AT&T and the FCC confirmed that sensitive information, including credit card numbers, Social Security numbers, and account passwords, had not been compromised.
As part of the settlement, AT&T has committed to implementing enhanced data governance practices and strengthening its vendor oversight. The company will establish a comprehensive information security program to safeguard customer data. They will also introduce a new inventory system to better track customer information and enforce stricter data retention and disposal obligations for vendors.
AT&T will implement multifaceted vendor controls and conduct annual compliance audits to ensure adherence to the new protocols. They will also limit vendor access to sensitive information to only what is necessary for business operations. These measures aim to prevent similar breaches from occurring in the future and demonstrate AT&T’s dedication to protecting customer data.
An AT&T spokesperson emphasized that the protection of customer data remains a top priority for the company. They acknowledged the previous security incident involving a vendor but clarified that AT&T’s systems were not compromised. The spokesperson highlighted AT&T’s commitment to enhancing their internal management of customer information and implementing stricter requirements for vendor data management practices.
In an unrelated incident, AT&T disclosed in July that customer data had been illegally downloaded from a third-party cloud platform in April 2024. This breach affected nearly all AT&T cellular customers and included records of calls and texts from May to October 2022. However, AT&T assured customers that no personal information, such as Social Security numbers or message content, had been compromised. The company has taken steps to secure the system and is cooperating with law enforcement in their investigation.
These incidents underscore the importance of robust data security measures for companies like AT&T. With the increasing prevalence of data breaches, businesses must remain vigilant in protecting customer information. The FCC’s settlement with AT&T serves as a reminder that service providers must take responsibility for the security of their customers’ data. By implementing comprehensive information security programs and strengthening vendor oversight, companies can mitigate the risk of data breaches and uphold their commitment to customer privacy.
