AT&T fined $13M for data breach after giving customer bill info to vendor
Enlarge (credit: Getty Images | Ronald Martinez)
AT&T agreed to pay a $13 million fine because it gave customer bill information to a vendor in order to create personalized videos, then allegedly failed to ensure that the vendor destroyed the data when it was no longer needed. In addition to the fine, AT&T agreed in a consent decree announced today by the Federal Communications Commission to stricter controls on sharing data with vendors.
In January 2023, years after the data was supposed to be destroyed, the vendor suffered a breach "when threat actors accessed the vendor's cloud environment and ultimately exfiltrated AT&T customer information," the FCC said. Information related to 8.9 million AT&T wireless customers was exposed.
Phone companies are required by law to protect customer information, and AT&T should not have merely relied on third-party firms' assurances that they destroyed data when it was no longer needed, the FCC said.