The US Federal Communications Commission (FCC) has imposed a penalty of $13m on telecommunications holding company AT&T in line with an investigation into the latter’s handling of customer data.
The Enforcement Bureau’s probe focused on whether AT&T failed to adequately protect its customers’ information following a data breach involving a vendor’s cloud environment. This vendor was responsible for generating and hosting personalised video content, such as billing and marketing videos, for AT&T customers.
According to AT&T’s contracts, the vendor was required to either destroy or return customer data once it was no longer needed. However, the telecoms firm did not ensure the vendor complied with these obligations, leading to the breach in January 2023 when cybercriminals exfiltrated AT&T customer data from the vendor’s cloud.
The breach resulted in the theft of information related to more than 8.9 million AT&T wireless customers.
The FCC’s investigation scrutinised if AT&T’s management of customer data, privacy practices, and vendor oversight were inadequate, contributing to the breach. The agency said the data exposed last year included customers from 2015 through 2017 which should have been deleted in 2017 or 2018.
To address these issues, AT&T agreed to a consent decree that includes commitments to improve its data governance practices, strengthen supply chain integrity, and implement robust processes for handling sensitive data.
This decree aims to prevent similar breaches in the future by enhancing AT&T’s oversight of vendor security and data protection.
AT&T penalised under US Communications Act of 1934
Under the Communications Act of 1934, telecommunications companies like AT&T are mandated to protect customer data and ensure that their contractors and vendors also meet these security requirements, said the FCC.
The Act makes carriers responsible for the actions of their agents and contractors, necessitating stringent data protection measures.
The decree outlines several consumer privacy and data protection terms that AT&T is required to implement, including improved tracking of customer data, stringent vendor retention and disposal protocols, enhanced vendor controls and oversight, and a comprehensive Information Security Program.
Additionally, AT&T will need to conduct annual compliance audits to ensure adherence to these new requirements.
The FCC said that the implementation of these measures will involve significant investments by AT&T, potentially exceeding the civil penalty imposed.
“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said FCC Chairwoman Jessica Rosenworcel. “Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”
Currently, the FCC is also investigating a larger data breach involving AT&T, following the carrier’s disclosure in July this year of a massive hacking incident that occurred in April 2024.
This breach resulted in the illegal downloading of approximately 109 million customer accounts.
AT&T revealed that call logs, including call and text data spanning six months in 2022, were copied from its workspace on the Snowflake cloud platform. The breach affected nearly all of the company’s customers, raising significant concerns about AT&T’s data security practices.
In addition to these data breaches, AT&T reported in early April that 73 million current and former account holders with the firm were potentially impacted by the leak. This included customer passcodes and Social Security numbers dating to 2019.