AT&T to pay $13 million to settle cloud breach

The FCC says AT&T is “strengthening its data governance practices”

The U.S. Federal Communications Commission today (Sept. 17) announced that AT&T will pay $13 million to settle an investigation associated with a customer data breach made public in July. The settlement is related to a hacking incident that impacted nearly all subscribers and occurred during a six-month period in 2022. 

Based on an U.S. Securities and Exchange Commission filing made by AT&T, the carrier said in learned in April this year that a “threat actor…unlawfully accessed and copied AT&T call logs.” After discovering the incident, AT&T “immediately activated its incident response process.” The company’s workspace cloud platform provided by Snowflake was “unlawfully accessed.” 

Based on a consent decree AT&T has entered into with the FCC, the operator will make “consumer privacy upgrades, including enhanced customer data tracking, a vendor requirement to “adhere to retention and disposal obligations;” implementation of “multifaceted vendor controls and oversight;”  a “comprehensive information security program;” and an annual compliance audit. 

FCC Chairwoman Jessica Rosenworcel said, “The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches. Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

In its announcement, the FCC also said that AT&T’s implementation of the items delineated in the consent decree “will likely require expenditures far great than” the $13 million civil penalty.