AT&T fined $13M for data breach after giving customer bill info to vendor

AT&T agreed to pay a $13 million fine because it gave customer bill information to a vendor in order to create personalized videos, then allegedly failed to ensure that the vendor destroyed the data when it was no longer needed. In addition to the fine, AT&T agreed in a consent decree announced today by the Federal Communications Commission to stricter controls on sharing data with vendors.

In January 2023, years after the data was supposed to be destroyed, the vendor suffered a breach "when threat actors accessed the vendor's cloud environment and ultimately exfiltrated AT&T customer information," the FCC said. Information related to 8.9 million AT&T wireless customers was exposed.

Phone companies are required by law to protect customer information, and AT&T should not have merely relied on third-party firms' assurances that they destroyed data when it was no longer needed, the FCC said.

"AT&T used the vendor to generate and host personalized video content, including billing and marketing videos, for AT&T customers," an FCC press release said. "Under AT&T's contracts, the vendor should have destroyed or returned AT&T customer information when no longer necessary to fulfill contractual obligations, which ended years before the breach occurred. AT&T failed to ensure the vendor: (1) adequately protected the customer information, and (2) returned or destroyed it as required by contract."

The data "remained in the vendor's cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed" in the January 2023 breach, an FCC Enforcement Bureau order said.

Data should have been deleted in 2018

AT&T told the FCC that it shared customer data with the vendor between 2015 and 2017, and that data was supposed to be "securely destroyed or deleted" by 2018. The exposed data included "line count for all impacted customers, and bill balance and payment information and rate plan name and features for approximately one percent of impacted customers," the FCC said.

AT&T told Ars today that the data "did not contain credit card information, Social Security Numbers, account passwords or other sensitive personal information." AT&T said it notified customers of the breach in March 2023.

"AT&T stated that it monitored impacted customer accounts following the incident and identified no evidence of AT&T account-related fraud or other unlawful or unauthorized activity tied to the Breach," the consent decree said. "According to AT&T, porting, SIM swap, and equipment fraud rates for impacted customers following the incident were consistently less than the rates for the general population of AT&T Mobility customers across all account types."

When contacted by Ars, AT&T did not respond directly to the FCC's allegation that it failed to ensure the vendor protected customer information. AT&T provided us with a statement saying, "A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we're making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors' data management practices."

Vendor X and Supplier 1

The public version of the consent decree identifies AT&T's contractor only as "Vendor X." There was another company that Vendor X subcontracted with, identified as "Supplier 1." AT&T told the FCC that it "performed multiple reviews and assessments of Vendor X and Supplier 1 between 2016 and 2020." AT&T also told the FCC that the vendor and supplier "both stated that they were destroying data in accordance with their respective agreements," according to the document.

The FCC, unsatisfied with AT&T's efforts to ensure the deletion of data, said the consent decree requires new "data governance practices to ensure appropriate processes and procedures are incorporated into AT&T's business practices to protect consumers' sensitive data against similar vendor data breaches in the future."

The requirements will be in place for three years. AT&T must improve security by "engaging in due diligence when selecting vendors, requiring vendors to employ safeguards for customer information, limiting vendor access to and storage of customer information, and conducting enhanced vendor oversight," the consent decree said. AT&T must create a data inventory program "to track AT&T customers' data shared with vendors."

AT&T must also "requir[e] vendors to adhere to retention and disposal obligations related to customer information, to limit the quantity of customer information vulnerable to breach," and conduct annual compliance audits "to evaluate AT&T's compliance with the Consent Decree, including the information security and vendor information security requirements," the FCC said.

The FCC said complying with the consent decree will require significant investments in safeguarding data shared with third-party vendors. "Given AT&T's size, number of customers, and extensive use of vendors, this will likely require expenditures far greater than the civil penalty herein," the FCC said. "The Commission will hold AT&T accountable for making these mandatory changes to its data protection practices, as required to comply with this Consent Decree, the Communications Act, and the Commission's rules going forward."

AT&T can easily afford the fine. The company reported $29.8 billion in revenue and $3.9 billion in net income in Q2 2024.

The breach described in the consent decree is not the most recent or the biggest leak of AT&T customer data involving a third-party vendor. AT&T confirmed in July 2024 that call and text records for nearly all AT&T cellular customers were exposed in the hack of "AI data cloud" provider Snowflake. After that breach, US senators questioned why AT&T was storing massive amounts of call and text message records on a third-party analytics platform.