AT&T Agrees $13m FCC Settlement Over Cloud Data Breach

Security

AT&T has agreed to pay $13m to the US telco regulator to settle a long-running investigation into whether it failed to protect customer data stored in the cloud.

The Federal Communications Commission (FCC) explained that the incident stemmed from a supply chain breach in January 2023 when threat actors exfiltrated AT&T customer data from a vendor’s cloud environment.

The unnamed vendor was used “to generate and host personalized video content, including billing and marketing videos” for those customers, the regulator confirmed. It’s believed around nine million wireless accounts were accessed as a result.

The FCC’s investigation had tried to determine whether the telco giant had “engaged in unreasonable privacy, cybersecurity and vendor management practices” in connection with the breach.

“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said FCC chairwoman, Jessica Rosenworcel. “Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

Read more on AT&T: Hackers Downloaded Call Logs from Cloud Platform in AT&T Breach

As part of the settlement, AT&T has agreed to strengthen its data governance and supply chain integrity practices as part of a Consent Decree.

It requires the company to:

  • Enhance tracking of customer data as part of a data inventory program
  • Require vendors adhere to data retention and disposal obligations
  • Implement multi-faceted vendor controls and oversight
  • Implement a comprehensive information security program
  • Conduct annual compliance audits

“As high-value targets, communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data,” said FCC Enforcement Bureau chief, Loyaan Egal. 

“Today’s announcement should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data.”

Image credit: Mojahid Mottakin / Shutterstock.com

Products You May Like

Articles You May Like

CISOs Turn to Indemnity Insurance as Breach Pressure Mounts
Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released
Google Warns of Rising Cloaking Scams, AI-Driven Fraud, and Crypto Schemes
Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors

Leave a Reply

Your email address will not be published. Required fields are marked *