2 weeks Ago By djohnson
By Derek B. Johnson September 17, 2024 The Federal Communications Commission has reached a $13 million settlement with AT&T over a January 2023 data breach that was traced to one of its third-party cloud vendors. The breach, which resulted in the theft of information related to more than 8.
9 million AT&T Mobility customers, happened through an unnamed company the telecom giant used for marketing, billing and generating personalized video content. According to the settlement, AT&T shared customer data, including subscriber data, with the vendor in order to use its services. The contract between AT&T and the vendor included specific requirements for protecting and disposing of that data, and multiple reviews and assessments conducted between 2016 and 2020 claimed that the vendor was adhering to data deletion policies.
But the January 2023 theft included data that should have been deleted by the vendor in 2017 or 2018, and the FCC concluded that AT&T was ultimately responsible for the lapse. “As high-value targets, communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data,” Loyaan A. Egal, the FCC’s Enforcement Bureau chief, said in a statement.
“Today’s announcement should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data.” According to the settlement , AT&T notified the vendor of the breach Jan. 6, 2023 and reported the incident to the government on Feb.
7 of that year through an online reporting form. The stolen data includes the number of phone lines on a customer’s account, bill balance and payment information and rate plan names for approximately 1% of the 8.9 million impacted customers.
In addition to paying a $13 million fine, AT&T entered into a consent decree with the government mandating a series of improvements to the way the company stores and protects its customer data in the cloud. Those actions include annual compliance audits and designing a “comprehensive” information security program to better protect sensitive customer data. It also requires AT&T to engage in more oversight of its third-party vendor ecosystem, such as limiting access to sensitive customer data, better tracking of what information is shared with vendors, enforcing requirements around data disposal and stricter oversight of the data protection policies and safeguards that vendors employ for their own systems and networks.
When reached for comment, AT&T spokesperson Alexander Byers told CyberScoop that the company began notifying customers of the incident in March 2023 and that the breached data did not contain any credit card information, Social Security numbers, or account passwords. “Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices,” Byers said in an emailed statement.While the settlement ends the FCC’s probe into the January 2023 vendor cloud breach, the agency is still investigating a much larger breach of AT&T revealed in July, in which hackers were able to access six months of phone and text messages from “nearly all” its customers via an attack on the third-party cloud platform Snowflake.
.
