Polymer

Download free DLP for AI whitepaper

Summary

  • FCC fines AT&T $13M: AT&T hit with a $13 million penalty for a 2023 breach affecting 8.9 million customers.
  • Third-party fail: Breach traced back to a third-party vendor’s cloud environment, not AT&T’s own systems.
  • Data compromised: Exposed data included account details; sensitive info like credit card numbers and Social Security numbers were not affected.
  • Previous breaches: AT&T has a history of data breaches, including incidents in 2014 and recent issues in 2024.
  • Key lesson: Companies must ensure robust security across their entire supply chain, not just within their own operations.

The Federal Communications Commission (FCC) has imposed a hefty $13 million fine on AT&T following a cloud security lapse that resulted in a data breach last year, compromising the personal information of 8.9 million customers.

In an unusual twist, the breach didn’t originate within AT&T itself but rather stemmed from a security incident involving one of its third-party providers. This development highlights the growing risks associated with third-party partnerships in the digital age.

So, what led to this breach, and why is AT&T facing this financial penalty? Here’s a breakdown of the incident and the crucial lessons to be learned.

AT&T breach: Timeline of events 

In January 2023, a breach originating from a third-party vendor’s cloud environment exposed AT&T customer data, marking a significant supply chain security failure. 

The compromised information included account details such as the number of lines, and in some instances, billing and rate plan data. However, sensitive information like credit card numbers, Social Security numbers, and account passwords remained unaffected, according to statements from AT&T and the FCC.

AT&T had partnered with this unnamed vendor since 2016 to create and manage personalized video content, including billing and marketing materials. The contract stipulated strict protocols for the protection and disposal of customer data, and between 2016 and 2020, several reviews affirmed the vendor’s compliance with data deletion policies.

Despite these assurances, the breach involved data that should have been deleted by 2017. The FCC’s investigation found AT&T’s oversight of customer data and vendor management fell short, leading to the breach.

FCC Enforcement Bureau Chief Loyaan Egal emphasized that the fine underscores the agency’s heightened scrutiny of how companies manage and secure customer data across their supply chains. 

“Our investigations into data breaches now include a thorough examination of vendor locations and data retention practices,” Egal stated. “Companies must ensure they can track and manage data used by their third-party partners effectively.”

Not a one-off

The 2023 breach is not AT&T’s first encounter with data security issues, nor is it likely to be the last. In 2014, AT&T experienced two significant breaches: one involved a former employee accessing customers’ Social Security numbers and driver’s licenses, while another saw third-party vendor employees accessing sensitive customer data.

The company’s data security woes have continued into 2024. This spring, AT&T had to reset passcodes for 73 million customers after their passwords were exposed on the dark web, leading to a wave of class-action lawsuits from affected customers.

Lessons learned 

The FCC’s fine underscores the importance of supply chain security for companies everywhere. It’s no longer enough to solely worry about your company’s data security practices. You also need to consider the cybersecurity posture of every entity you work with. 

As this breach shows, verbal assurance is not enough. To truly protect data, organizations must combine steadfast policies with cloud-based data security controls. This is the only way to ensure that suppliers stay true to their word.


For detailed guidance on this topic, read our blog on how to prevent third-party data breaches.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.