AT&T agreed to pay a $13 million fine because it gave customer bill information to a vendor in order to create personalized videos, then allegedly failed to ensure that the vendor destroyed the data when it was no longer needed. In addition to the fine, AT&T agreed to stricter controls on sharing data with vendors in a consent decree announced today by the Federal Communications Commission.
In January 2023, years after the data was supposed to be destroyed, the vendor suffered a breach "when threat actors accessed the vendor's cloud environment and ultimately exfiltrated AT&T customer information," the FCC said. Information related to 8.9 million AT&T wireless customers was exposed.
Phone companies are required by law to protect customer information, and AT&T should not have merely relied on third-party firms' assurances that they destroyed data when it was no longer needed, the FCC said.
"AT&T used the vendor to generate and host personalized video content, including billing and marketing videos, for AT&T customers," an FCC press release said. "Under AT&T's contracts, the vendor should have destroyed or returned AT&T customer information when no longer necessary to fulfill contractual obligations, which ended years before the breach occurred. AT&T failed to ensure the vendor: (1) adequately protected the customer information, and (2) returned or destroyed it as required by contract."
The data "remained in the vendor's cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed" in the January 2023 breach, an FCC Enforcement Bureau order said.
Data should have been deleted in 2018
AT&T told the FCC that it shared customer data with the vendor between 2015 and 2017, and that data was supposed to be "securely destroyed or deleted" by 2018. The exposed data included "line count for all impacted customers, and bill balance and payment information and rate plan name and features for approximately one percent of impacted customers," the FCC said.
AT&T told Ars today that the data "did not contain credit card information, Social Security Numbers, account passwords or other sensitive personal information." AT&T said it notified customers of the breach in March 2023.
"AT&T stated that it monitored impacted customer accounts following the incident and identified no evidence of AT&T account-related fraud or other unlawful or unauthorized activity tied to the Breach," the consent decree said. "According to AT&T, porting, SIM swap, and equipment fraud rates for impacted customers following the incident were consistently less than the rates for the general population of AT&T Mobility customers across all account types."
When contacted by Ars, AT&T did not respond directly to the FCC's allegation that it failed to ensure the vendor protected customer information. AT&T provided us with a statement saying, "A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we're making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors' data management practices."