Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

AT&T to Pay $13 Million in Settlement Over 2023 Data Breach

AT&T has agreed to pay $13 million in a settlement with the FCC over a 2023 data breach at a third-party vendor’s cloud environment.

AT&T Data Breach

US wireless carrier AT&T has agreed to pay $13 million in a settlement with the Federal Communications Commission (FCC) over a 2023 data breach.

The incident, disclosed in March 2023, was the result of a cyberattack at a third-party vendor and resulted in the compromise of customer proprietary network information (CPNI) pertaining to roughly nine million AT&T customers.

“In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed,” AT&T wrote in email notifications sent to the impacted customers.

The third-party vendor, AT&T told SecurityWeek at the time, provided marketing services and the compromised data did not include financial or personal information, such as Social Security numbers, account passwords, credit card, or other sensitive information.

On September 17, 2024, the FCC announced a consent decree (PDF) to resolve its investigation into whether AT&T failed to protect customer information, improperly used and disclosed CPNI without customer approval, failed to identify and prevent attempts to access CPNI, and engaged in “unjust and unreasonable privacy, cybersecurity, and vendor management practices” in connection with the data breach.

According to the consent decree, the vendor should have destroyed or returned AT&T customer information “years prior to the 2023 breach pursuant to relevant contracts AT&T entered into with the vendor”.

“AT&T failed to ensure its vendor adequately protected that customer information; instead, it remained in the vendor’s cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed in the 2023 breach,” the consent decree reads.

As part of the settlement, the wireless carrier will pay a $13 million civil penalty and commit to strengthen its data governance practices to ensure that consumers’ sensitive data is protected against similar threats.

Advertisement. Scroll to continue reading.

AT&T is required to limit vendor access to and disposal of customer CPNI and other sensitive information, implement a comprehensive security program that covers customer information, track customer data as part of its data inventory program, implement vendor controls and oversight, demand that vendors adhere to retention and disposal obligations, and conduct annual compliance audits.

AT&T will make significant investments in improving the protection of customer information shared with third parties and these investments are expected to be far greater than the civil penalty, the FCC said (PDF).

“The Commission will hold AT&T accountable for making these mandatory changes to its data protection practices, as required to comply with this consent decree, the Communications Act, and the Commission’s rules going forward,” the consent decree reads.

SecurityWeek has emailed AT&T for a statement on the settlement and will update this article as soon as a reply arrives.

UPDATE: AT&T has provided the following statement to SecurityWeek:

“Protecting our customers’ data remains one of our top priorities. A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”

Related: Verizon Subsidiary Settles With FCC for $16M Over Three Data Breaches

Related: Facebook Parent Settles Suit in Cambridge Analytica Scandal

Related: Expert Wins Settlement in Whistleblower Case Against Cisco

Related: Pakistani Man Bribed AT&T Employees to Unlock Phones, Plant Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.