AT&T has agreed to pay a $13 million penalty to resolve a Federal Communications Commission probe into a third-party cloud vendor breach in January 2023 that resulted in the exfiltration of data belonging to more than 8.9 million of its customers, reports CyberScoop.
Investigation by the FCC revealed that AT&T had failed to dispose of customer data shared with the unnamed firm it enlisted for billing and marketing efforts dating back to 2017 and 2018 even though several evaluations from 2016 to 2020 purported the vendor's compliance with data deletion policies. Aside from paying the fine, AT&T has also been required by the settlement to conduct yearly compliance audits and establish an extensive information security program, as well as bolster third-party vendor ecosystem oversight through restricted customer data access and more stringent data removal policies. Such action should prompt other companies to better ensure customer data privacy, according to FCC Enforcement Bureau Chief Loyaan Egal.