The Federal Communications Commission (FCC) has reached a settlement with AT&T that resolves the agency’s investigation into a January 2023 hack in which AT&T customer information was taken from a vendor’s cloud environment.
A consent decree resolving this investigation requires AT&T to pay $13 million and to strengthen its data governance practices, the FCC said in a Tuesday (Sept. 17) press release.
“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” FCC Chairwoman Jessica Rosenworcel said in the release. “Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”
Reached by PYMNTS, an AT&T spokesperson provided a statement saying that the company began notifying customers of the incident in March 2023, consistent with FCC regulations, and that the data included information like the number of lines on an account — it did not include sensitive personal information.
“Protecting our customers’ data remains one of our top priorities,” the AT&T statement said. “A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”
The FCC investigation found that AT&T used a vendor to host customer information; that the vendor should have destroyed or returned that information when it was no longer needed to fulfill contractual obligations, years before the breach occurred; and that AT&T failed to ensure the vendor adequately protected the information and returned or destroyed it as required by the contract, according to the agency’s press release.
Large businesses are attractive targets for cybercriminals, PYMNTS reported in August. The combination of valuable data, complex systems and the potential for significant ransom payments makes them particularly vulnerable.
Understanding the methods used by attackers and implementing a multi-layered approach to security can help businesses prevent a disruption from escalating into a disaster.