AT&T has agreed to a $13 million payout to the 8.9 million customers impacted by a data breach in January of last year.
The Federal Communications Commission (FCC) had been investigation the hack to determine if the company failed to protect its customers, but said Tuesday that the hefty fine has settled the issue.
While the telecom giant has been held responsible, it was the company’s third-party cloud vendor that was infiltrated by cybercriminals.
AT&T has 30 days to pay the civil penalty to the US Treasury, which will then could then determine how funds are to be allocated.
AT&T suffered a major data breach in January 2023. The company will now pay $13 million to impacted customers
The data breach exposed AT&T’s customer data from 2015 through 2017, and the FCC explained that the information should have been deleted from the cloud in 2017 or 2018.
Although AT&T customer’s credit card information, social security numbers or account information, the company and the FCC said exposed data did include how many lines were on the account, the bill balance and information about their rate plans.
‘The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,’ said FCC Chairwoman Jessica Rosenworcel.
As part of its investigation, the FCC required AT&T to sign a Consent Decree, promising to strengthen its data government practices and pay the $13 million settlement.
In response to the fine, Rosenworcel said that ‘carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches.’
AT&T has not confirmed if it will send follow-up emails or letters to those impacted or if it is setting up a website for customers to check if the payout applies to them.
The unnamed cloud vendor generated and housed personalized video content and held information about billing and marketing videos for customers.
AT&T’s contract with the vendor was terminated years before the breach, and the FCC said that at that time, it was no longer necessary to hold the data.
At that time, AT&T should have taken measures to protect customer information and ensured the vendor returned or destroyed the data, which was a specified requirement in the contract.
The commission reported it is also holding AT&T accountable for making ‘significant investments’ in protecting customers’ information that’s shared with third parties which ‘will likely require expenditures far greater than [the fine].’
AT&T confirmed it will take steps to increase security measures to protect customer’s data and prevent future breaches.
‘Protecting our customers’ data remains one of our top priorities,’ an AT&T spokesperson told DailyMail.com.
‘Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.’
DailyMail.com has reached out to the FCC for comment.