Photo by Rubaitul Azad on Unsplash

AT&T Fined for Data Breach Related to Third-Party Vendor

September 18, 2024

AT&T is paying $13 million in fines related to data breach accusations. Reportedly, the company forwarded customer information to a vendor for marketing purposes. However, the vendor was contractually required to later delete the data but failed to do so.

In addition to the fine, AT&T will be complying with an order issued by the Federal Communications Commission (FCC) that places further restrictions on data sharing. The new rules, which require AT&T to limit what information a vendor can access as well as conduct audits of vendors’ data management policies, will last three years.

While the customer information was supposed to be discarded by 2018, a January 2023 data breach of the vendor’s cloud services revealed data from 8.9 million AT&T wireless subscribers. According to the FCC, it is still AT&T’s responsibility to protect customer data even though the third-party company gave assurances that the information was removed.

“Under AT&T’s contracts, the vendor should have destroyed or returned AT&T customer information when no longer necessary to fulfill contractual obligations, which ended years before the breach occurred,” wrote the FCC. “AT&T failed to ensure the vendor: (1) adequately protected the customer information, and (2) returned or destroyed it as required by contract.”

After the breach was detected, AT&T monitored the accounts of affected customers and did not find any unlawful activity or fraud had occurred. Customers were told of the security incident in March 2023.

Per Ars Technica, no credit card information, account passwords, or Social Security numbers were exposed. However, the hacker was able to obtain bill payment records, including balance owed and rate plan, of roughly 1% of impacted customers.

In April of this year, AT&T had to reset the passcodes of millions of customers due to an unrelated data incident. The company initiated the changes after encrypted passcodes were leaked online, which could have been deciphered and used to access customer information.