AT&T fined $13M for data breach after giving customer bill info to vendor
AT&T agreed to pay a $13 million fine because it gave customer bill information to a vendor in order to create personalized videos, then allegedly failed to ensure that the vendor destroyed the data when it was no longer needed. In addition to the fine, AT&T agreed to stricter controls on sharing data with vendors in a consent decree announced today by the Federal Communications Commission.
In January 2023, years after the data was supposed to be destroyed, the vendor suffered a breach “when threat actors accessed the vendor’s cloud environment and ultimately exfiltrated AT&T customer information,” the FCC said. Information related to 8.9 million AT&T wireless customers was exposed.
Phone companies are required by law to protect customer information, and AT&T should not have merely relied on third-party firms’ assurances that they destroyed data when it was no longer needed, the FCC said.