FCC fines AT&T $13M over January 2023 data breach

AT&T data breach fine overview: 

• Who: AT&T has agreed to pay $13 million to end a Federal Communications Commission investigation into a January 2023 data breach that affected nearly 9 million consumers. 
• Why: The FCC said it found that AT&T failed to ensure its vendor who suffered the data breach was adequately protecting the customer information it shared with it from 2015 to 2017.
• Where: The AT&T data breach affected millions of its customers nationwide.

AT&T agreed to pay $13 million to put an end to claims revolving around a January 2023 data breach incident that affected nearly 9 million of its customers. 

The Federal Communications Commission announced the agreement earlier this week, saying the fine ends the agency’s investigation into whether AT&T failed to “meet its duty to protect” the information of its customers. 

The AT&T data breach occurred in January 2023 after a threat actor was able to gain access to the cloud environment of one of its vendors and extracted AT&T customer information that had previously been shared with the vendor, according to the FCC. 

AT&T was also under investigation for whether it improperly used, disclosed or permitted access to individually identifiable customer information without customer approval, and if it failed to take reasonable measures to discover and protect against data breach efforts, according to the FCC. 

FCC says AT&T failed to ensure vendor ‘adequately protected’ customer info

The FCC, which was also investigating if AT&T engaged in “unjust and unreasonable privacy, cybersecurity, and vendor management practices” in connection with the data breach, said the telecom company ultimately bore responsibility for the incident. 

“AT&T failed to ensure its vendor adequately protected that customer information; instead, it remained in the vendor’s cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed in the 2023 Breach,” the FCC said in an order.

The data breach exposed information shared by AT&T with the vendor between 2015 and 2017, and included the number of lines on an account and, in several cases, bill balance and rate plan information, according to the FCC. 

Earlier this year, a trio of class actions accused AT&T of failing to protect customers’ data in a separate data breach that began in May 2022 and affected nearly all 110 million of AT&T’s wireless customers. 

Have you been affected by an AT&T data breach? Let us know in the comments.

Read About More Class Action Lawsuits & Class Action Settlements:

• AT&T class action alleges co. sends unsolicited text messages
• AT&T class action claims data breach affected others using network
• Consumers file AT&T class actions following massive data breach
• AT&T class action over reward cards consolidated, dismissed