AT&T has agreed to pay $13 million to settle a Federal Communications Commission (FCC) investigation into a vendor-related data breach that compromised the information of millions of the company’s customers.
“Today’s announcement should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data,” Loyaan Egal, chief of the Enforcement Bureau and chair of the FCC’s privacy and data protection task force, said in a statement.
The January 2023 breach of an unidentified vendor previously used by AT&T led to the exposure of data collected from 8.9 million AT&T customers.
“Under AT&T’s contracts, the vendor should have destroyed or returned AT&T customer information when no longer necessary to fulfill contractual obligations, which ended years before the breach occurred,” the FCC said in the announcement.
The agency alleged that AT&T failed to ensure the vendor adequately protected customer information and verify that the vendor had either returned or destroyed the data.
Information exposed in the breach included details such as the number of lines on customers’ accounts and, in some cases, billing balances and rate plan details. Sensitive information, including credit card numbers, Social Security numbers, and account passwords, was not compromised, according to both AT&T and the FCC.
“Protecting our customers’ data remains one of our top priorities,“ an AT&T spokesperson told The Epoch Times in an emailed statement. ”A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers,” the spokesperson said.
“Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”
In a separate, unrelated incident, AT&T disclosed in July that customer data had been illegally downloaded from a third-party cloud platform in April 2024. The breach affected “nearly all” AT&T cellular customers and included records of calls and texts from May to October 2022. No personal information, such as Social Security numbers or the content of messages, was compromised, according to AT&T, which said it had secured the system and was working with law enforcement.
