International Circuit
AT&T to pay $13 million over 2023 customer data breach
AT&T has agreed to pay $13 million to resolve an investigation over a data breach of a cloud vendor in January 2023 that impacted 8.9 million AT&T wireless customers, the Federal Communications Commission said Tuesday.
The FCC said the fine will resolve its investigation over whether AT&T had failed to protect the information of its customers and added AT&T had agreed to boost its data governance practices to increase supply chain integrity in the handling of sensitive data to protect consumers from similar vendor data breaches in the future.
The FCC said the data exposed in 2023 covered customers from 2015 through 2017 that should have been deleted in 2017 or 2018.
The exposed data included information like the number of lines on an account and in a few cases bill balance and rate plan information but did not contain credit card information, Social Security Numbers, account passwords and other sensitive personal information, AT&T and the FCC said.
AT&T said the prior vendor experienced a hacking incident exposing customer data. “Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices,” the company said.
FCC Chair Jessica Rosenworcel said “carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches.”
The FCC is also investigating a much larger data breach at involving AT&T.
The carrier disclosed in July a massive hacking incident in April that resulted in the illegal downloading of about 109 million customer accounts. AT&T disclosed call logs were copied from its workspace on a Snowflake cloud platform covering about six months of customer call and text data from 2022 from nearly all its customers. Reuters