AT&T to Pay FCC $13 Million for Vendor Data Breach

AT&T is paying $13 million to settle a Federal Communications Commission (FCC) investigation in connection with a vendor’s data breach in 2023.

According to the FCC, AT&T used the unnamed vendor to generate and host personalized video content, including billing and marketing videos, for AT&T customers. Under AT&T’s contracts, the vendor should have destroyed or returned AT&T customer information when no longer needed to fulfill contractual obligations, which ended years before the data breach occurred.

AT&T failed to ensure the vendor adequately protected the customer information, and returned or destroyed it as required by contract, the FCC said.

Investigation Into AT&T’s Role in Data Breach

Threat actors in January 2023 stole information about AT&T customers from the vendor’s cloud environment, according to the agency. The investigation centered on whether AT&T failed to protect customer information and engaged in “unreasonable privacy, cybersecurity and vendor management practices” in connection with the data breach.

The FCC said AT&T committed to strengthening its data governance practices to increase its supply chain integrity, and ensure it handles sensitive data with "appropriate processes and procedures."

“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said Jessica Rosenworcel, FCC chairwoman. “Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

Related:AT&T Customers Experience Microsoft 365 Outages

AT&T No Longer Uses Vendor

AT&T sent us the following statement:

“Protecting our customers’ data remains one of our top priorities. A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”

AT&T said it began notifying customers of this incident in March 2023. The data included information like the number of lines on an account. It did not contain credit card information, Social Security numbers, account passwords or other sensitive personal information.

Jason Soroko, senior fellow at Sectigo, said the AT&T settlement with the FCC may mark a turning point in corporate cybersecurity, underscoring that a company’s obligation to protect consumer data extends deep into its supply chain.

Related:Microsoft and CISPE Settle Antitrust Complaint, Cloud Market ‘Fundamentally Broken'

Sectigo's Jason Soroko

“In today’s interconnected digital landscape, robust vendor oversight isn’t just prudent, but it is imperative for safeguarding privacy and maintaining trust,” he said. “The lesson learned is that organizations must proactively secure not only their own systems, but also rigorously manage and monitor their vendors, as neglecting this can lead to significant breaches and regulatory consequences.” 

Supply Chain Risk Significant Problem

Narayana Pappu, CEO of Zendata, said this FCC fine showcases that even companies as sophisticated as AT&T do not have a handle on data supply chain risk, which continues to be a significant problem across telecom and other industries that handle large amounts of personal user data. 

Zendata's Narayana Pappu

“Most of the controls within these companies are at a surface level, heavily driven by questionnaire/risk assessment documents, rather than actual verification/quantification of the risks,” he said.
In July, AT&T disclosed a massive data breach that impacted nearly all of the telecom giant’s cellular customers, as well as non-customers on its network. AT&T said its data was stolen from Snowflake as part of a cyber threat campaign targeting Snowflake customers.