FCC Fines AT&T $13 Million for Data Breach Last Year
The company agreed to a more thorough screening of its vendors.
Jake Neenan
WASHINGTON, Sept. 18, 2024 – AT&T has agreed to pay $13 million and beef up its data security practices to end a federal investigation into a data breach last year.
The breach involved the billing information of about 9 million AT&T customers. The information, held by an unnamed vendor, was from 2015 through 2017. The Federal Communications Commission said Tuesday that the company should have made sure the vendor deleted it years ago.
“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” FCC Chairwoman Jessica Rosenworcel said in a statement.
In addition to the fine, the company agreed to take a number of steps to protect customer data it shares with third parties, including stricter vendor oversight, data retention and disposal rules for those vendors, and annual vendor compliance audits for the next three years. That’s going to be a bigger financial burden than the fine itself, the agency thinks.
“Given AT&T’s size, number of customers, and extensive use of vendors, this will likely require expenditures far greater than the civil penalty herein,” the FCC said in a release.
The agreement expires in three years.
“Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices,” an AT&T spokesperson told Broadband Breakfast.
The FCC is still investigating a larger data breach from AT&T. Nearly 110 million of the company’s mobile customers’ call and text records – excluding the actual content of those calls and texts – were exposed in an April leak.
AT&T is also currently appealing a separate fine from the FCC, a $57 million penalty for selling customer location data without getting permission. The company says the location data wasn’t protected by the Communications Act.