AT&T recently agreed to pay a $13 million fine as a result of a data breach involving customer bill information. The breach occurred when a vendor, who was responsible for creating personalized videos for AT&T customers, failed to destroy the data as required. This led to a breach in January 2023, where threat actors accessed the vendor’s cloud environment and exposed information related to 8.9 million AT&T wireless customers.
The Federal Communications Commission (FCC) announced a consent decree with AT&T, requiring the company to implement stricter controls on sharing data with vendors. The FCC emphasized that phone companies are obligated by law to protect customer information and should not solely rely on third-party assurances regarding data destruction.
AT&T disclosed that the data shared with the vendor between 2015 and 2017 was supposed to be securely deleted by 2018. The exposed information included details such as line count, bill balance, payment information, and rate plan features for a portion of impacted customers. However, AT&T clarified that sensitive information like credit card details, Social Security Numbers, and account passwords were not compromised.
Following the breach, AT&T notified customers and monitored impacted accounts for any fraudulent activity. The company reported that there was no evidence of unauthorized access or fraudulent behavior related to the breach. Despite these assurances, the FCC raised concerns about AT&T’s oversight of the vendor’s data protection measures.
In response to inquiries, AT&T acknowledged the security incident involving the vendor and stated that while their systems were not breached, they are enhancing internal data management practices and imposing stricter requirements on vendors. The company is taking steps to improve customer information security and prevent similar incidents in the future.
The incident serves as a reminder of the importance of robust data protection measures and thorough oversight of third-party vendors. Companies must ensure that customer information is safeguarded throughout its lifecycle, including secure deletion when no longer needed. By learning from this breach, AT&T aims to strengthen its data management practices and uphold the trust of its customers.
