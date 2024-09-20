AT&T found itself in some hot water with the FCC back in January 2023 when it was discovered that a partnering vendor had suffered a data breach involving AT&T customer information. While AT&T was not directly responsible for the breach, it allegedly failed to ensure that the vendor had destroyed the data when it was no longer needed, making AT&T liable. AT&T has now finally settled the issue with the FCC (via ArsTechnica ), agreeing to pay a $13 million fine and implement stricter controls on sharing data with its vendors.

The main issue was that the data collected should have been destroyed years earlier. Even though the breach wasn’t entirely AT&T’s fault, the law requires carriers to protect customer data. Therefore, it makes sense that the carrier would be held accountable for having lax or unclear policies around how to manage shared data.

It’s worth noting that while this is a serious security issue, the breach did not expose highly sensitive information such as credit card details, account passwords, or Social Security numbers. Instead, it included more basic information, like the number of lines on an account.

We reached out to AT&T for a statement on the FCC ruling, and here’s what their representative had to say:

“Protecting our customers’ data remains one of our top priorities. A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”

What kind of enhancements is AT&T making exactly? According to the public version of the FCC’s consent decree, AT&T will be required to make significant investments in safeguarding data shared with third-party vendors. The decree also states that AT&T must require vendors to adhere to retention and disposal obligations related to customer information, limiting the quantity of customer data vulnerable to breaches. Additionally, AT&T must conduct annual compliance audits on all its vendors, and the FCC will be actively involved in ensuring AT&T meets its obligations under the settlement. The Commission will enforce these stricter requirements for the next three years.