# AT&T Penalized $13 Million for Data Breach Linked to Vendor Mismanagement
AT&T, a leading telecommunications provider in the U.S., has consented to a $13 million penalty due to a major data breach that compromised sensitive information of customers. This incident transpired when AT&T transmitted customer billing data to a third-party vendor for crafting personalized videos, yet neglected to confirm the vendor’s destruction of the data once it was deemed unnecessary. The Federal Communications Commission (FCC) revealed the fine along with further penalties in a consent decree dated October 2024.
## Overview of the Breach Incident
From 2015 to 2017, AT&T provided customer data to a vendor, referred to as “Vendor X” in FCC records, for producing customized billing and promotional videos for its clientele. The data encompassed critical customer details including billing information, rate plans, and payment data. According to AT&T’s agreement with the vendor, the data was expected to be securely destroyed or returned by 2018 after fulfilling the contractual conditions.
Nonetheless, the vendor inadequately disposed of the information, which lingered within the vendor’s cloud settings for several years. In January 2023, a security lapse occurred when cyber criminals infiltrated the vendor’s cloud system and extracted customer data. This breach affected around 8.9 million AT&T wireless customers.
### Categories of Exposed Data
The data breach disclosed several types of customer information, such as:
– Line counts for all affected customers.
– Billing amounts and payment details.
– Rate plan titles and features for roughly 1% of the impacted customers.
AT&T affirmed that the exposed information did not include highly sensitive data like credit card details, Social Security numbers, or account passwords. The company informed the affected customers about the breach in March 2023 and indicated that no fraudulent activities related to the incident had been identified, such as SIM swaps or fraud involving equipment.
## AT&T’s Inadequate Data Protection Measures
The FCC’s investigation uncovered that AT&T neglected to ensure that the vendor and its subcontractor, known as “Supplier 1,” sufficiently safeguarded customer information. Even though AT&T performed several evaluations and reviews of the vendor and subcontractor from 2016 to 2020, it depended on their claims that the data was destroyed in compliance with the contract. This was later proven inaccurate, as the data still resided in the vendor’s cloud environment and was ultimately compromised in the breach.
The FCC stressed that telecom companies have a legal obligation to safeguard customer information and cannot merely rely on third-party vendors for data security. AT&T’s inability to guarantee data destruction or return as specified by the contract was crucial in the FCC’s decision to levy the fine.
## Implementation of Stricter Data Governance Policies
In line with the consent decree, AT&T has committed to adopting more rigorous protocols regarding sharing customer data with vendors. The forthcoming requirements, effective for three years, encompass:
– **Improved Vendor Oversight**: AT&T is mandated to conduct thorough evaluations when selecting vendors and ensure they implement suitable measures to protect customer information.
– **Data Retention and Disposal Policies**: Vendors will be required to comply with stricter guidelines regarding data retention and disposal to minimize the exposure of customer data to breaches.
– **Data Inventory Program**: AT&T needs to establish a program to oversee customer data shared with vendors, ensuring it is adequately managed and disposed of when no longer necessary.
– **Annual Compliance Reviews**: AT&T will be obligated to perform yearly audits to assess its adherence to the consent decree and confirm that vendors are conforming to the new data security stipulations.
The FCC indicated that meeting these new standards will likely necessitate significant investments from AT&T, given the company’s scale and extensive engagement with third-party vendors. However, the FCC clarified its intent to hold AT&T accountable for implementing the essential modifications to its data protection strategies.
## AT&T’s Reaction
In a response to Ars Technica, AT&T did not explicitly address the FCC’s claims regarding its failure to ensure the vendor maintained data protection. Nevertheless, the company released a statement recognizing the breach and detailing measures it is undertaking to enhance data security.
“A vendor we previously utilized encountered a security incident last year that exposed data related to some of our wireless customers. Although our systems were not compromised in this occurrence, we are enhancing our internal management of customer information, in addition to instituting new mandates on our vendors’ data management protocols,” AT&T articulated in its statement.
## Prior and Ongoing Data Breaches
The breach referenced in the FCC’s consent decree is not the sole instance of data leaks involving AT&T and its third-party vendors. In July 2024, AT&T confirmed that call and text records for nearly all its cellular customers were compromised in a hack of “AI data cloud” provider Snowflake. This incident heightened concerns regarding AT&T’s data management practices, particularly its dependence on
