The Federal Communications Fee (FCC) has reached a $13 million settlement with AT&T to resolve a probe into whether or not the telecom big failed to guard buyer knowledge after a vendor’s cloud atmosphere was breached three years in the past.
The FCC’s investigation additionally examined AT&T’s provide chain integrity and whether or not the telecom big engaged in poor privateness and cybersecurity practices.
The large knowledge breach investigated by the FCC occurred in January 2023, when risk actors accessed buyer knowledge of roughly 9 million AT&T wi-fi accounts saved by a vendor contracted to generate customized video content material, together with billing and advertising movies.
“Buyer Proprietary Community Info from some wi-fi accounts was uncovered, such because the variety of traces on an account or wi-fi fee plan,” AT&T instructed BleepingComputer on the time.
“The data didn’t comprise bank card info, Social Safety Quantity, account passwords or different delicate private info. We’re notifying affected prospects.”
The CPNI knowledge uncovered within the January 2023 breach included buyer first names, wi-fi account numbers, cellphone numbers, and electronic mail addresses.
Regardless that the seller was required to destroy or return the information after the contract ended—years earlier than the breach—it failed to take action. AT&T was discovered to have inadequately monitored the seller’s compliance with their contractual obligations.
“Carriers should take extra precautions given their entry to delicate info, and we’ll stay vigilant in guaranteeing that is the case regardless of which supplier a buyer chooses.”
AT&T agrees to spice up buyer knowledge safety
To settle the investigation, AT&T has additionally agreed to strengthen its knowledge governance practices to guard its shoppers’ delicate knowledge in opposition to related vendor knowledge breaches sooner or later.
The consent decree mandates AT&T to implement a complete Info Safety Program that features broad buyer knowledge safety, enhance its knowledge stock processes to trace knowledge shared with distributors, be certain that distributors comply with retention and disposal guidelines for buyer info (to restrict the quantity of buyer knowledge susceptible up to now breaches), and conduct annual compliance audits to evaluate AT&T’s compliance with these necessities.
“The Communications Act makes clear that carriers have an obligation to guard the privateness and safety of client knowledge, and that duty takes on new that means for digital age knowledge breaches,” mentioned FCC Chairwoman Jessica Rosenworcel.
“Carriers should take extra precautions given their entry to delicate info, and we’ll stay vigilant in guaranteeing that is the case regardless of which supplier a buyer chooses.”
Enforcement Bureau Chief Loyaan A. Egal additionally underscored the importance of the case, noting that “Communications service suppliers have an obligation to scale back the assault floor and entry factors that risk actors search to take advantage of to be able to entry delicate buyer knowledge.”
“Defending our prospects’ knowledge stays one in all our prime priorities. A vendor we beforehand used skilled a safety incident final 12 months that uncovered knowledge pertaining to a few of our wi-fi prospects,” an AT&T spokesperson instructed BleepingComputer after publishing time.
“Although our methods weren’t compromised on this incident, we’re making enhancements to how we handle buyer info internally, in addition to implementing new necessities on our distributors’ knowledge administration practices.
“According to FCC necessities, we started notifying prospects of this incident in March 2023.The information included info just like the variety of traces on an account. It didn’t comprise bank card info, Social Safety Numbers, account passwords or different delicate private info.”
In July 2024, AT&T warned of one other huge knowledge breach after risk actors stole the decision logs for roughly 109 million prospects (almost all of its cell prospects) from an internet database on the corporate’s Snowflake account between April 14 and April 25, 2024.
The uncovered knowledge contained cellphone numbers, name durations, communications metadata, and variety of calls or texts. Nonetheless, AT&T mentioned the attackers could not entry the content material of the calls or texts, buyer names, or some other private info like Social Safety numbers or dates of start.
In April, the corporate additionally notified 51 million former and present prospects of an information breach linked to a large quantity of AT&T buyer knowledge leaked in March on the Breached hacking discussion board and beforehand supplied on the market for $1 million in 2021.
Replace September 17, 14:54 EDT: Added AT&T assertion.