US telecom giant AT&T has agreed to pay $13m to settle an investigation into the company’s supply chain integrity and alleged cloud breach by the Federal Communications Commission (FCC).

In January 2023, threat actors were able to penetrate the systems of a former vendor of AT&T, which made it possible to exfiltrate customer information from its cloud environment.

AT&T had used the vendor to produce and host personalized video content for customers – but had stopped using its services a number of years back. The vendor was meant to have either destroyed or returned the data once it was no longer required to fulfill contractual obligations. Unfortunately the vendor did not do either.

According to the FCC, it was AT&T who failed to ensure that the vendor:

• properly protected the customer information; and
• returned or destroyed the data as was required by the contract.

Besides the fine, AT&T has also agreed to enter into a consent decree committing the company to strengthen its data governance practices in order to improve its supply chain integrity. It is also intended to esnure that adequate processes and procedures are incorporated into its operations to handle and protect sensitive customer data.

“As high-value targets, communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data,” said Loyaan A. Egal, FCC enforcement bureau chief

“Carriers must take additional precautions given their access to sensitive information,” added Jessica Rosenworcel, FCC chair .

Other fines and data breaches

AT&T has been in the spotlight in the last few years, both as a result of suffering data breaches of its own systems, as well as failing to protect data it handled more widely, and has also been fined for other regulatory failings.

Some notable data incidents include:

• July 2024: a data breach affecting 109 million customers. In a regulatory filingin AT&T disclosed that hackers had stolen the call records of tens of millions of its customers. The company proceeded to pay a member of the hacking team more than $300,000 to delete the data and to provide a video demonstrating proof of its deletion.
• April 2024: AT&T, Sprint, T-Mobile and Verizon were fined close to $200m by the FCC for illegally sharing access to customers’ location data without their consent. They were also found not to have taken adequate measures to protect the data against unauthorized disclosure.
• April 2024: AT&T suffered a major data breach affecting 7.6 million existing account holders and 65.4 million past subscribers. The data has since been found on the dark web in a wider set of data which included AT&T specific data fields. Some of this leaked data included customers’ personal information such as social security numbers.
• 2023: A similar breach to the one directly above, but this time involving the data of nine million customers stolen when the company’s marketing vendor suffered a security failure. The breach came to light after customers posted email communications purportedly from AT&T on community forums in order to determine its authenticity. The breached data included first names, wireless account numbers, wireless phone numbers, and email addresses.