$13Mn FCC Settlement Over 2023 Data Breach

Continue reading
The Federal Communications Commission (FCC) has reached a $13 million settlement with AT&T following an extensive investigation into the telecom giant's handling of customer data, specifically in relation to a vendor's cloud breach that occurred three years ago. This settlement is a direct consequence of findings that revealed significant gaps in AT&T’s data protection measures, raising concerns about the company’s ability to ensure supply chain security and prevent unauthorized access to sensitive customer information.
The Breach: A Timeline of Events
In January 2023, a security breach targeted AT&T's vendor, which was responsible for creating personalized video content, such as billing and marketing materials. This breach exposed the personal data of approximately 9 million AT&T wireless customers. Although critical details such as credit card numbers, Social Security numbers, and account passwords were not compromised, the exposed Customer Proprietary Network Information (CPNI) included first names, wireless account numbers, phone numbers, and email addresses. AT&T promptly notified affected customers, clarifying that the most sensitive personal information remained secure.
The breach was particularly alarming because the vendor had been contractually obligated to destroy or return customer data after the contract ended—years before the actual breach. However, AT&T failed to adequately monitor the vendor's compliance with this obligation, leading to the unauthorized retention and eventual exposure of customer data.
Supply Chain Integrity and Vendor Oversight Failures
The FCC's investigation extended beyond the breach itself, delving into AT&T's broader privacy and cybersecurity practices. Central to the investigation was the issue of supply chain integrity—specifically, whether AT&T maintained sufficient oversight of its vendors' data handling practices. In this case, the vendor’s failure to destroy or return customer data in a timely manner exposed AT&T’s inadequate supervision of third-party compliance with contractual and regulatory obligations.
The FCC's findings underscored the critical need for telecom companies to monitor not only their own data security protocols but also those of their vendors. As FCC Chairwoman Jessica Rosenworcel emphasized, "Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that's the case no matter which provider a customer chooses."
Strengthening Data Governance and Security Measures
In response to the investigation, AT&T has committed to enhancing its data governance framework to prevent future breaches of this nature. Under the terms of the settlement, AT&T will implement a comprehensive Information Security Program designed to bolster customer data protection and ensure compliance with strict data retention and disposal policies.
Key elements of this new Information Security Program include:
Data Inventory Processes: AT&T will improve its ability to track data shared with third-party vendors, ensuring that all customer data is accounted for and adequately protected.
Vendor Compliance: AT&T will ensure that its vendors adhere to strict data retention and disposal policies, thereby reducing the risk of unauthorized data exposure.
Annual Compliance Audits: The company will conduct regular audits to assess its adherence to the new data security requirements, with a focus on minimizing the potential for future breaches.
The FCC's Enforcement: A Message to the Telecom Industry
The FCC's actions send a clear signal to the telecommunications industry regarding the importance of safeguarding consumer data. In a statement, Enforcement Bureau Chief Loyaan A. Egal reiterated that "Communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data." This case serves as a reminder that even if a company's own systems are not directly compromised, it remains accountable for breaches that occur within its supply chain.
The Continuing Fallout: Additional Data Breaches
Unfortunately for AT&T, the January 2023 breach was not an isolated incident. In July 2024, the company reported yet another significant data breach, in which threat actors accessed call logs for approximately 109 million customers. The attackers exploited vulnerabilities in AT&T's Snowflake account, exposing phone numbers, call durations, and communication metadata. However, the content of the calls, customer names, and highly sensitive personal information were not compromised. Despite these assurances, the sheer scale of the breach has raised further concerns about AT&T's ability to secure its customer data.
Additionally, in April 2024, AT&T notified 51 million current and former customers of a data breach that was linked to an earlier hack in March 2023. This breach resulted in a massive leak of customer data, some of which had been offered for sale on the Breached hacking forum as early as 2021. These successive breaches have only intensified scrutiny of AT&T’s cybersecurity posture, pushing the company to take more aggressive steps in securing its data assets.
Conclusion: A New Era of Data Accountability
The $13 million settlement with the FCC marks a pivotal moment in the evolving landscape of data security within the telecommunications sector. For AT&T, the agreement represents a critical step toward rebuilding trust with its customers and ensuring that its vendors adhere to the highest standards of data protection.
As digital threats continue to evolve, telecom providers must remain vigilant in securing not only their own systems but also the entire supply chain. This case serves as a stark reminder that privacy and security responsibilities do not end at a company’s front door—they extend throughout the entire vendor network.
The FCC’s actions underscore the growing importance of regulatory oversight in holding telecom giants accountable for the security of their customers’ data in the digital age, reinforcing the necessity of proactive governance and comprehensive cybersecurity strategies.
AT&T's future success will hinge on its ability to prevent similar incidents from recurring and demonstrate a genuine commitment to safeguarding the privacy and security of its users.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.