The US Federal Communications Commission (FCC) announced a $13 million settlement with AT&T to resolve an investigation over a data breach of a cloud vendor in 2023 which impacted 8.9 million mobile customers.

The FCC noted in January 2023 the unnamed cloud vendor suffered a data breach that exposed information related to AT&T customers.

AT&T reported the breach on 7 February 2023 and then filed a supplemental submission on 15 May 2023. Based on that information, the FCC’s Enforcement Bureau opened an investigation.

The operator used the cloud vendor to generate and host personalised video content including billing and marketing videos for its customers.

Under AT&T’s contracts, the vendor should have destroyed or returned customer information when no longer needed to fulfil contractual obligations, which ended years before the breach occurred.  

The FCC stated AT&T failed to ensure the vendor protected the information of its customers and to return or destroy the content as required by the contract.

To resolve the investigation, AT&T agreed to strengthen its data governance practices and increase its supply chain integrity for the handling of sensitive data to protect consumers against similar vendor data breaches in the future.

The US agency stated the terms of its consent decree will require the mobile operator “to make significant investments in and prioritise the safeguarding of customers’ information shared with third parties”, which it noted “will likely require expenditures far greater than the civil penalty”.

A representative for AT&T told Mobile World Live its systems were not compromised during the incident, and stated the data included information such as the number of lines on an account.

The data did not include credit card information, Social Security numbers, account passwords or other sensitive personal information.

“Protecting our customers’ data remains one of our top priorities. We’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”