US wireless carrier AT&T has agreed to pay $13 million in a settlement with the Federal Communications Commission (FCC) over a 2023 data breach.
The incident, disclosed in March 2023, was the result of a cyberattack at a third-party vendor and resulted in the compromise of customer proprietary network information (CPNI) pertaining to roughly nine million AT&T customers.
“In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed,” AT&T wrote in email notifications sent to the impacted customers.
The third-party vendor, AT&T told SecurityWeek at the time, provided marketing services and the compromised data did not include financial or personal information, such as Social Security numbers, account passwords, credit card, or other sensitive information.
On September 17, 2024, the FCC announced a consent decree (PDF) to resolve its investigation into whether AT&T failed to protect customer information, improperly used and disclosed CPNI without customer approval, failed to identify and prevent attempts to access CPNI, and engaged in “unjust and unreasonable privacy, cybersecurity, and vendor management practices” in connection with the data breach.
According to the consent decree, the vendor should have destroyed or returned AT&T customer information “years prior to the 2023 breach pursuant to relevant contracts AT&T entered into with the vendor”.
“AT&T failed to ensure its vendor adequately protected that customer information; instead, it remained in the vendor’s cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed in the 2023 breach,” the consent decree reads.
As part of the settlement, the wireless carrier will pay a $13 million civil penalty and commit to strengthen its data governance practices to ensure that consumers’ sensitive data is protected against similar threats.
AT&T is required to limit vendor access to and disposal of customer CPNI and other sensitive information, implement a comprehensive security program that covers customer information, track customer data as part of its data inventory program, implement vendor controls and oversight, demand that vendors adhere to retention and disposal obligations, and conduct annual compliance audits.
AT&T will make significant investments in improving the protection of customer information shared with third parties and these investments are expected to be far greater than the civil penalty, the FCC said (PDF).
“The Commission will hold AT&T accountable for making these mandatory changes to its data protection practices, as required to comply with this consent decree, the Communications Act, and the Commission’s rules going forward,” the consent decree reads.
SecurityWeek has emailed AT&T for a statement on the settlement and will update this article as soon as a reply arrives.
UPDATE: AT&T has provided the following statement to SecurityWeek:
“Protecting our customers’ data remains one of our top priorities. A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”
Related: Verizon Subsidiary Settles With FCC for $16M Over Three Data Breaches
Related: Facebook Parent Settles Suit in Cambridge Analytica Scandal
Related: Expert Wins Settlement in Whistleblower Case Against Cisco
Related: Pakistani Man Bribed AT&T Employees to Unlock Phones, Plant Malware