The Federal Communications Commission announced Tuesday that wireless service provider AT&T has agreed to pay $13 million to settle a federal investigation into whether it failed to protect customer information in connection with a data breach last year.
The FCC investigation focused on what role AT&T’s privacy, cybersecurity and vendor management practices played in a data breach in January 2023 in which hackers broke into the company’s cloud systems, exposing the data of about 9 million wireless customers.
As part of the settlement, AT&T entered into a consent decree requiring the telecommunications giant to strengthen its data governance practices, improve the integrity of its supply chain, and ensure proper processes and procedures in handling sensitive data.
Prior to the cyberattack, AT&T relied on a third-party vendor to host customer data. The FCC said the user information exposed in the hack, including the number of lines on customers’ accounts and billing information from 2015 to 2017, should have been deleted before the intrusion. The sensitive information did not include customers’ banking information, Social Security numbers or account passwords.
“The Communications Act makes clear that carriers have an obligation to protect the privacy and security of consumer data, and that responsibility takes on new meaning in the digital age of data breaches,” FCC Chairman Jessica Rosenworcel said in a statement. “Carriers must take extra precautions given their access to sensitive information, and we will remain vigilant to ensure that they do so regardless of which provider customers choose.”
FCC Enforcement Director Loian A. Egal also said that telecommunications companies “have an obligation to reduce the attack surface and entry points that threat actors may seek to exploit to access customers’ sensitive data.”
AT&T was subsequently breached, in April Cyber ​​attacks announced in July The hackers intercepted “almost all” of the text messages and call records of the company’s mobile phone customers over a six-month period between May 1, 2022 and October 31, 2022.
AT&T, meanwhile, told CBS News that “protecting customer data remains one of our top priorities.”
AT&T said its wireless customer data was exposed during a breach at a previous vendor.
“While our systems were not compromised in this incident, we are strengthening how we manage customer information internally and implementing new requirements for our vendors’ data management practices,” the spokesperson said.
more