What you need to know
- The FCC fined AT&T $13 million for a cloud security failure that exposed sensitive customer info last year, equivalent to a fee of about $1.46 per customer exposed.
- In 2023, a former AT&T cloud vendor was hacked, compromising data for 8.9 million customers.
- The vendor was supposed to delete customer data after it was no longer needed but held onto it for years, leading to the breach.
The Federal Communications Commission has slapped AT&T with a $13 million fine over a cloud security slip-up that led to a data breach last year, leaving customers’ sensitive personal information exposed to outside parties.
In 2023, a former AT&T cloud vendor was hacked, exposing the data of 8.9 million customers. The FCC’s press release (via Ars Technica) says AT&T didn’t do enough to protect customer information.
AT&T handed over customer data to the vendor between 2015 and 2017 to create personalized video content. The customer information was supposed to be returned or deleted once it was no longer necessary—something that should have been done long before the breach happened.
Their contract required AT&T to make sure the data was securely deleted by 2018. However, the vendor held onto the data for years, which eventually led to the 2023 breach.
The FCC stated that AT&T not only dropped the ball on making sure the vendor safeguarded customer data but also didn’t follow up to ensure it was returned or deleted.
Luckily, the breached data didn’t include sensitive information like passwords, Social Security numbers, or credit card details. Most of what was exposed related to customer accounts, like billing balances.
As a condition of the settlement, AT&T has vowed to strengthen its data management practices and set up clear protocols for safeguarding customer information. These improvements are expected to be quite costly, likely exceeding the $13 million fine.
Although the 2023 data breach was a major event, it wasn't AT&T's first run-in with such issues. Last April, the company had to reset passwords for around 73 million customers after their credentials were found on the dark web. This incident sparked a flurry of class-action lawsuits from affected customers.
In July, the carrier revealed that a large chunk of its customers' phone and text records was compromised in a data breach linked to the cloud platform Snowflake. The fallout also affected customers of AT&T-owned networks like Cricket Wireless and other carriers that use AT&T’s infrastructure.
