FCC reaches $13 million settlement with AT&T over 2023 data breach involving third-party vendor

The Federal Communications Commission (FCC) reached a $13 million settlement with AT&T following a data breach in January 2023 that compromised sensitive information about over 8.9 million AT&T Mobility customers. The breach was traced to a third-party cloud vendor responsible for marketing, billing, and generating personalized video content for the telecom giant.

AT&T had shared customer data with the vendor to facilitate its services. Despite multiple reviews between 2016 and 2020 that confirmed the vendor was following data protection and deletion policies, the FCC found that data stolen in the January 2023 breach should have been deleted in 2017 or 2018. The FCC held AT&T accountable for the vendor’s failure to properly safeguard and dispose of the data.

In response to the settlement, Loyaan A. Egal, the FCC’s Enforcement Bureau chief, emphasized the need for communication service providers to minimize security vulnerabilities, stating, “Today’s announcement should send a strong message... we will not hesitate to take action against service providers that fail to be responsible custodians of that data.”

AT&T became aware of the breach on January 6, 2023, and reported the incident to the government a month later. The stolen data included phone line numbers, bill balances, payment details, and rate plan names, affecting about 1% of the 8.9 million impacted customers. However, the breach did not compromise sensitive information such as credit card numbers, Social Security numbers, or account passwords, according to an AT&T spokesperson.

As part of the settlement, AT&T agreed to several improvements to its data protection practices, including:

• Conducting annual compliance audits
• Implementing a comprehensive information security program
• Enforcing stricter oversight of third-party vendors and data disposal practices
• Enhancing internal customer information management

AT&T began notifying affected customers in March 2023 and committed to revising its internal and vendor data management practices to prevent future breaches. While this settlement concludes the FCC’s investigation into the January 2023 breach, the agency continues to investigate a separate, larger breach revealed in July 2023, where hackers accessed six months’ worth of phone and text messages from nearly all AT&T customers via an attack on the third-party cloud platform Snowflake.