AT&T will pay $13 million to settle an investigation by the Federal Communications Commission (FCC) into whether the telecom giant was adequately protecting customers’ information in the wake of a breach early last year.

The sensitive data of almost 9 million wireless customers was exposed when bad actors breached the cloud environment of a third-party vendor, leading investigators to question whether company security systems were strong enough to protect against such supply chain attacks.

The case put yet another spotlight on the increasingly complex threat environment as organizations increasingly store their customers’ data in the cloud.

Loyaan Egal, chief of the FCC’s Enforcement Bureau and chair of the agency’s Privacy and Data Protection Task Force, said in a statement that his office “will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data.”

Along with the fine, AT&T agreed to a consent decree with the FCC to strengthen its privacy and data protection practices.

An Issue of Third-Party Vendors

According to the FCC, AT&T used a third-party vendor to create and host personalized video content around billing and market aimed at the telecom’s customers. The contract with the vendor called for the vendor to destroy or return AT&T customer information when it was no longer needed. The contract with the vendor ended years before the data breach.

However, AT&T failed to ensure that the vendor adequately protected the customer information and that it had returned or destroyed the data, per the contract.

The hackers stole the information after breaching the vendor’s cloud environment in January 2023.

FCC Chairwoman Jessica Rosenworcel said in a statement that the Communications Act of 1934 “makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches. Carriers must take additional precautions given their access to sensitive information.”

Data Breaches and the Cloud

The consent decree sets the picture of how the telecommunications sector has evolved in the cloud computing era. Last year, more than 80% of data breaches involved data that was stored in the cloud and cybersecurity researchers pointed to the telecom industry as a top target for cloud attackers, echoing Egal’s statement that AT&T and its competitors are “high-value targets” and thus “have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data.”

In addition, the FCC noted that cloud misconfigurations and vendor systems were two of the three top causes last year of data breaches involving personal data and – citing the National Security Agency – that data stored in the cloud “may become ‘an easy target’ when companies ‘unintentionally misuse the cloud, such as allowing excessively permissive cloud access, having unrestricted ports, and use unsecured backups.’”

Such growing risks to privacy and security linked to the cloud and third-party vendors help drive the need for the terms of the consent decree, the FCC wrote.

Improving Security

The consent decree lists six steps AT&T must take, including protecting customer proprietary network information (CPNI) – information related to consumers’ calls, including the type, destination, and length of the call, who was called and when, and billing data – of other sensitive information and limiting vendor access to the data.

In addition, AT&T will have to improve its security program, institute multifaceted vendor controls and strong oversight, enhancing its data inventory processes to better track the customer data shared with vendors, requiring vendors to adhere to retention and disposal obligations, and annual audits to evaluate the carrier’s compliance with the consent decree.

“Implementing the terms contained in this Consent Decree will require AT&T to make significant investments in, and prioritize, the safeguarding of customers’ information shared with third parties,” the FCC wrote. “Given AT&T’s size, number of customers, and extensive use of vendors, this will likely require expenditures far greater than the civil penalty herein.”

The fine comes two months after AT&T said it was notifying about 110 million consumers of a data breach in April in which hackers accessed an AT&T workspace on a third-party cloud platform and exfiltrated files that included AT&T records of customer phone calls and text message from between May 1 and October 31 in 2022, as well as on January 2, 2023.

In a filing with the Securities and Exchange Commission (SEC) in July, the carrier wrote that an “analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (‘MVNO’) using AT&T’s wireless network.”