AT&T pays $13 million FCC settlement over 2023 data breach

Summary: The FCC has settled with AT&T for $13 million following a data breach that exposed customer information of approximately 9 million accounts due to inadequate vendor oversight. The settlement requires AT&T to enhance its data protection practices to prevent future breaches.

Threat Actor: Unknown | unknown
Victim: AT&T | AT&T

Key Point :

  • The breach involved customer proprietary network information, including names, account numbers, and phone numbers, but did not expose sensitive financial data.
  • AT&T has committed to implementing a comprehensive Information Security Program to improve vendor data management and conduct annual compliance audits.
  • Following the breach, AT&T experienced additional incidents, including the exposure of call logs for 109 million customers in 2024.

AT&T

The Federal Communications Commission (FCC) has reached a $13 million settlement with AT&T to resolve a probe into whether the telecom giant failed to protect customer data after a vendor’s cloud environment was breached three years ago.

The FCC’s investigation also examined AT&T’s supply chain integrity and whether the telecom giant engaged in poor privacy and cybersecurity practices.

The massive data breach investigated by the FCC occurred in January 2023, when threat actors accessed customer data of roughly 9 million AT&T wireless accounts stored by a vendor contracted to generate personalized video content, including billing and marketing videos.

“Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan,” AT&T told BleepingComputer at the time.

“The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers.”

The CPNI data exposed in the January 2023 breach included customer first names, wireless account numbers, phone numbers, and email addresses.

Even though the vendor was required to destroy or return the data after the contract ended—years before the breach—it failed to do so. AT&T was found to have inadequately monitored the vendor’s compliance with their contractual obligations.

“Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

AT&T agrees to boost customer data protection

To settle the investigation, AT&T has also agreed to strengthen its data governance practices to protect its consumers’ sensitive data against similar vendor data breaches in the future.

The consent decree mandates AT&T to implement a comprehensive Information Security Program that includes broad customer data protection, improve its data inventory processes to track data shared with vendors, ensure that vendors follow retention and disposal rules for customer information (to limit the amount of customer data vulnerable to date breaches), and conduct annual compliance audits to assess AT&T’s compliance with these requirements.

“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said FCC Chairwoman Jessica Rosenworcel.

“Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

Enforcement Bureau Chief Loyaan A. Egal also underscored the significance of the case, noting that “Communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data.”

“Protecting our customers’ data remains one of our top priorities. A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers,” an AT&T spokesperson told BleepingComputer after publishing time.

“Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.

“Consistent with FCC requirements, we began notifying customers of this incident in March 2023.The data included information like the number of lines on an account. It did not contain credit card information, Social Security Numbers, account passwords or other sensitive personal information.”

In July 2024, AT&T warned of another massive data breach after threat actors stole the call logs for roughly 109 million customers (nearly all of its mobile customers) from an online database on the company’s Snowflake account between April 14 and April 25, 2024.

The exposed data contained phone numbers, call durations, communications metadata, and number of calls or texts. However, AT&T said the attackers couldn’t access the content of the calls or texts, customer names, or any other personal information like Social Security numbers or dates of birth.

In April, the company also notified 51 million former and current customers of a data breach linked to a massive amount of AT&T customer data leaked in March on the Breached hacking forum and previously offered for sale for $1 million in 2021.

Update September 17, 14:54 EDT: Added AT&T statement.

Source: https://www.bleepingcomputer.com/news/security/atandt-pays-13-million-fcc-settlement-over-2023-data-breach