AT&T agrees to $13 million fine for third-party cloud breach

The Federal Communications Commission has reached a $13 million settlement with AT&T over a January 2023 data breach that was traced to one of its third-party cloud vendors.  

The breach, which resulted in the theft of information related to more than 8.9 million AT&T Mobility customers, happened through an unnamed company the telecom giant used for marketing, billing and generating personalized video content. According to the settlement, AT&T shared customer data, including subscriber data, with the vendor in order to use its services.

The contract between AT&T and the vendor included specific requirements for protecting and disposing of that data, and multiple reviews and assessments conducted between 2016 and 2020 claimed that the vendor was adhering to data deletion policies.

But the January 2023 theft included data that should have been deleted by the vendor in 2017 or 2018, and the FCC concluded that AT&T was ultimately responsible for the lapse.

Speaking at the Forum Global Annual Data Privacy Conference in Washington D.C. on Tuesday, FCC Enforcement Bureau Chief Loyaan Egal said the settlement should put companies on notice that the agency is more closely scrutinizing how businesses ensure their customer data is protected throughout their supply chains.

“As we are investigating these data breaches for U.S. domestic companies and it involves vendors, we’re looking at where are these vendors located [and] data retention,” he said. “Were they supposed to hold on to the data that was breached? Are you able to keep track of the data that is being used by these third parties?”

According to the settlement, AT&T notified the vendor of the breach Jan. 6, 2023 and reported the incident to the government on Feb. 7 of that year through an online reporting form. The stolen data includes the number of phone lines on a customer’s account, bill balance and payment information and rate plan names for approximately 1% of the 8.9 million impacted customers.

In addition to paying a $13 million fine, AT&T entered into a consent decree with the government mandating a series of improvements to the way the company stores and protects its customer data in the cloud.

Those actions include annual compliance audits and designing a “comprehensive” information security program to better protect sensitive customer data.

It also requires AT&T to engage in more oversight of its third-party vendor ecosystem, such as limiting access to sensitive customer data, better tracking of what information is shared with vendors, enforcing requirements around data disposal and stricter oversight of the data protection policies and safeguards that vendors employ for their own systems and networks.

When reached for comment, AT&T spokesperson Alexander Byers told CyberScoop that the company began notifying customers of the incident in March 2023 and that the breached data did not contain any credit card information, Social Security numbers, or account passwords.

“Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices,” Byers said in an emailed statement.While the settlement ends the FCC’s probe into the January 2023 vendor cloud breach, the agency is still investigating a much larger breach of AT&T revealed in July, in which hackers were able to access six months of phone and text messages from “nearly all” its customers via an attack on the third-party cloud platform Snowflake.

This story was updated Sept. 17, 2024 with comments from the FCC’s Loyaan Egal.