AT&T to pay $13M to resolve FCC vendor cloud breach investigation

The FCC Enforcement Bureau has entered into a $13M settlement to resolve its investigation into whether AT&T Services failed to meet its duty to protect the confidentiality of customer proprietary information, improperly used, disclosed, or permitted access to individually identifiable customer proprietary network information without customer approval, failed to take reasonable measures to discover and protect against attempts to gain access to CPNI, and engaged in unjust and unreasonable privacy, cybersecurity, and vendor management practices in connection with a data breach of its vendor’s cloud environment that occurred in January 2023. The 2023 Breach occurred when threat actors accessed the vendor’s cloud environment and ultimately exfiltrated AT&T customer information that the Company had previously shared with the vendor. The vendor should have destroyed or returned that customer information years prior to the 2023 Breach pursuant to relevant contracts AT&T entered into with the vendor. AT&T failed to ensure its vendor adequately protected that customer information; instead, it remained in the vendor’s cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed in the 2023 Breach. AT&T has committed to robust terms of agreement to strengthen the company’s data governance practices to ensure appropriate processes and procedures are incorporated into AT&T’s business practices to protect consumers’ sensitive data against similar vendor data breaches in the future, the FCC said.