Affiliate links on Android Authority may earn us a commission. Learn more.
AT&T reaches settlement over 2023 data breach, agrees to pay $13 million
- AT&T has finally reached a settlement with the FCC over a previous data breach by a third-party vendor.
- While AT&T wasn’t directly responsible, it didn’t ensure customer data was properly deleted by its vendors.
- AT&T will not only pay a $13 million fee but has also agreed to implement changes that will better protect customer data in the future.
AT&T found itself in some hot water with the FCC back in January 2023 when it was discovered that a partnering vendor had suffered a data breach involving AT&T customer information. While AT&T was not directly responsible for the breach, it allegedly failed to ensure that the vendor had destroyed the data when it was no longer needed, making AT&T liable. AT&T has now finally settled the issue with the FCC (via ArsTechnica), agreeing to pay a $13 million fine and implement stricter controls on sharing data with its vendors.
The main issue was that the data collected should have been destroyed years earlier. Even though the breach wasn’t entirely AT&T’s fault, the law requires carriers to protect customer data. Therefore, it makes sense that the carrier would be held accountable for having lax or unclear policies around how to manage shared data.
It’s worth noting that while this is a serious security issue, the breach did not expose highly sensitive information such as credit card details, account passwords, or Social Security numbers. Instead, it included more basic information, like the number of lines on an account.
We reached out to AT&T for a statement on the FCC ruling, and here’s what their representative had to say:
“Protecting our customers’ data remains one of our top priorities. A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”
What kind of enhancements is AT&T making exactly? According to the public version of the FCC’s consent decree, AT&T will be required to make significant investments in safeguarding data shared with third-party vendors. The decree also states that AT&T must require vendors to adhere to retention and disposal obligations related to customer information, limiting the quantity of customer data vulnerable to breaches. Additionally, AT&T must conduct annual compliance audits on all its vendors, and the FCC will be actively involved in ensuring AT&T meets its obligations under the settlement. The Commission will enforce these stricter requirements for the next three years.
Overall, while this data breach could have been a much bigger deal if more sensitive information had been exposed, AT&T can easily afford the fines. Still, this is a win for consumers, as it shows the FCC is taking data breaches seriously and holding carriers accountable. Even though companies like AT&T can handle the financial penalties, their reputation takes a hit if they don’t tighten security measures. Ultimately, this means breaches like this will hopefully become far less common in the future.