AT&T Agrees to $13M Settlement with FCC on Vendor Cloud Data Breach

The Federal Communications Commission (FCC) has announced a $13 million settlement with AT&T following an investigation into a data breach involving a third-party vendor. The breach, which occurred in January 2023, compromised AT&T customer data hosted in a vendor’s cloud environment. The investigation uncovered that AT&T failed to ensure the vendor adhered to contractual obligations to protect customer information, resulting in unauthorized data access.

The vendor in question was contracted to create and host personalized billing and marketing videos for AT&T’s customers. However, the vendor retained customer information beyond the contract period, which ended years before the breach, violating data retention policies. Threat actors exploited vulnerabilities in the vendor’s cloud environment, exfiltrating sensitive customer information.

The FCC Enforcement Bureau launched the investigation to determine whether AT&T had engaged in negligent privacy, cybersecurity, and vendor management practices. This led to a settlement agreement, known as a Consent Decree, which mandates AT&T to make significant changes to its data security framework. The measures focus on enhancing data governance and supply chain integrity to prevent similar breaches in the future.

AT&T, a global telecommunications giant serving millions of customers in the U.S., will now be required to overhaul its data protection policies, particularly those concerning third-party vendors. These changes, referred to as “Consumer Privacy Upgrades,” include:

• Implementing a data inventory program to track customer data.
• Enforcing strict data retention and disposal practices for vendors.
• Establishing comprehensive vendor controls and oversight.
• Developing a robust Information Security Program for broader customer data protection.
• Conducting annual audits to ensure compliance.

The scale of these reforms suggests that AT&T will need to invest substantially in its data protection infrastructure, particularly given the company's extensive vendor network and large customer base. FCC Chairwoman, Jessica Rosenworcel, emphasized that the responsibility of telecom providers to protect consumer data has never been more critical in the digital age.

The settlement is part of the FCC’s ongoing efforts to enforce stricter data security standards, particularly following similar actions taken against other telecom providers, such as Verizon's $16 million settlement on behalf of TracFone in July 2024.