This week, the Federal Communications Commission (FCC) concluded its investigation into a 2023 data breach at AT&T, resulting in a $13 million fine for the telecommunications giant. The penalty comes after the company failed to safeguard consumer data adequately, facilitating a breach that affected 8.9 million customers.
In January 2023, cybercriminals accessed customer data through a third-party cloud vendor used by AT&T for generating personalized video content. These videos included billing and marketing information. According to the FCC, the vendor was expected to destroy or return the data when it was no longer needed, but AT&T did not enforce this requirement, which led to the data theft.
The stolen data was from the period 2015 to 2017 and should have been deleted by 2018. The FCC found AT&T’s failure to ensure data deletion breached its duty to protect customer privacy.
FCC Chairwoman Jessica Rosenworcel emphasized the importance of data security for carriers in the digital age. “The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches.”
As part of the settlement, AT&T has agreed to enhance its data security and supply chain integrity practices. The company will also undergo annual compliance audits to ensure sustained adherence to these standards.
The January breach is not the only cybersecurity incident under scrutiny. Earlier this summer, AT&T disclosed another data breach from April 2023, affecting approximately 109 million customers, nearly its entire subscriber base. The FCC is still investigating this incident.