The FCC is ordering AT&T to pay a $13 million fine to settle a complaint over cloud security missteps that led to a third-party data breach last year and exposed AT&T customer information.
AT&T didn't force the third-party entity and source of the leak to destroy or secure customer data, so the FCC says AT&T is at fault. As part of the settlement, AT&T must also up its "data governance" practices for better security and supply chain integrity going forward.
"As high-value targets, communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data,” said FCC Enforcement Bureau Chief Loyaan Egal, who also serves as Chair of the FCC’s Privacy and Data Protection Task Force, in a statement.
"Today’s announcement should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data," Egal added.
Reached for comment, an AT&T spokesperson tells PCMag that it notified customers of this breach in March 2023. The incident exposed information like the number of phone lines on accounts, but did not leak credit card information, Social Security numbers, or account passwords.
"Protecting our customers’ data remains one of our top priorities," the AT&T rep tells PCMag in a statement via email. "A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices."
But the 2023 data breach wasn't AT&T's first—or last. AT&T faced two data breaches in 2014. One occurred when a former employee viewed customers' Social Security numbers and driver's license numbers. That year, third-party vendor employees also accessed sensitive AT&T customer information.
This year, AT&T saw two major data breach incidents where customer data was exposed yet again. The company reset 73 million customers' passcodes after their passwords were leaked on the dark web this spring. Impacted customers filed dozens of class-action lawsuits in response to the breach.
In July, AT&T revealed that "nearly all" of its customers' phone and text records were leaked via cloud platform Snowflake in the second known breach this year, including customers of AT&T-owned networks like Cricket Wireless and other carriers that use its network, like Boost Mobile. This leak also sparked multiple class-action lawsuits from frustrated customers, though AT&T reportedly paid a hacker to delete the stolen data.
Data breaches more broadly have been on the rise in recent years—and last year was particularly bad. Over 300 million accounts were leaked worldwide in 2023, with the US being the "most breached" country in the world. This means 1 in 3 breached accounts last year were based in the US. While Russia came behind with the second-most breached accounts, the rest of the world saw substantially fewer exposed accounts than the US and Russia. Cloud security is also a major issue for firms storing data online, as over 80% of all data breaches last year exposed data stored in a cloud.