AT&T Agrees $13m FCC Settlement Over Cloud Data Breach

AT&T has agreed to pay $13m to the US telco regulator to settle a long-running investigation into whether it failed to protect customer data stored in the cloud.

The Federal Communications Commission (FCC) explained that the incident stemmed from a supply chain breach in January 2023 when threat actors exfiltrated AT&T customer data from a vendor’s cloud environment.

The unnamed vendor was used “to generate and host personalized video content, including billing and marketing videos” for those customers, the regulator confirmed. It’s believed around nine million wireless accounts were accessed as a result.

The FCC’s investigation had tried to determine whether the telco giant had “engaged in unreasonable privacy, cybersecurity and vendor management practices” in connection with the breach.

“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said FCC chairwoman, Jessica Rosenworcel. “Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

Read more on AT&T: Hackers Downloaded Call Logs from Cloud Platform in AT&T Breach

As part of the settlement, AT&T has agreed to strengthen its data governance and supply chain integrity practices as part of a Consent Decree.

It requires the company to:

• Enhance tracking of customer data as part of a data inventory program
• Require vendors adhere to data retention and disposal obligations
• Implement multi-faceted vendor controls and oversight
• Implement a comprehensive information security program
• Conduct annual compliance audits

“As high-value targets, communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data,” said FCC Enforcement Bureau chief, Loyaan Egal. 

“Today’s announcement should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data.”

Image credit: Mojahid Mottakin / Shutterstock.com