AT&T ordered to pay $13M settlement in latest setback for company


After allegedly paying nearly $400,000 for a ransom in May, AT&T is reaching for its wallet again. This time, it’s to settle a cloud breach investigation led by the FCC.

In a press release on September 17th, 2024, the Federal Communications Commission (FCC) announced a $13 million settlement with AT&T to resolve an Enforcement Bureau investigation into the company’s “supply chain integrity” and “whether it failed to protect” the data of AT&T customers.

In January 2023, the telecom company experienced a massive breach when threat actors accessed the data of approximately nine million AT&T wireless accounts. This data was stored by a vendor contracted to create personalized video content, including billing and marketing videos. The company has not disclosed the vendor involved.

ADVERTISEMENT

“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said FCC Chairwoman Jessica Rosenworcel in a press release.

The US Communications Act of 1934 and FCC rules require telecom companies to protect customers' personal information and ensure the security of their data.

This includes responsibility for cloud and vendor security and following best practices for data storage, disposal, and vendor management. The Act also holds carriers accountable for the actions of their agents and contractors.

“Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses,” Rosenworcel added.

To conclude the investigation, AT&T agreed to enhance its data governance practices to protect customers from vendor-related data breaches in the future.

AT&T's contract required the vendor to delete or return customer data once it was no longer needed, which should have happened years before the breach. The investigation found that AT&T failed to ensure the vendor properly protected the data or disposed of it as required.

“As high-value targets, communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data,” said Enforcement Bureau Chief Loyaan A. Egal, who also serves as Chair of the FCC’s Privacy and Data Protection Task Force.

Multiple data breaches

ADVERTISEMENT

The telecommunication giant, which serves upwards of 100 million customers in the US, has been the target for a series of data breaches.

In April, AT&T was affected by a massive data leak. Customer data was illegally downloaded from an online database from the company Snowflake, affecting nearly all of its customers. The exposed data contained phone numbers, call durations, communications metadata, and the number of calls or texts.Reports soon surfaced that the telecom had paid the infamous hacker gang Shiny Hunters a $370,000 ransom demand in May to delete the stolen data.

In March, a leaked database with more than 70 million records, allegedly stolen from AT&T, was posted on the illicit marketplace. The company reportedly claimed that the data came from a breach that took place in 2021.