AT&T’s $13M FCC Fine Could Be Tip of Costly Legal Iceberg

AT&T will pay a $13 million US Federal Communications Commission (FCC) fine to settle the watchdog’s investigation into a cloud breach that exposed phone records and data of nearly 9 million customers.

An unnamed vendor for AT&T Mobility customers fell victim to a data breach in early 2023. Data included subscriber information from 2015 to 2017. The FCC said AT&T failed to protect customers’ data and failed to meet regulatory requirements to return or destroy customer information well before the breach.

“The Communications Act makes clear that carriers have a duty to protect the privacy and security of customer data, and that responsibility takes on a new meaning for digital age data breaches,” FCC Chairwoman Jessica Rosenworcel said in a statement. “Carriers must take additional precautions given their access to sensitive information …”

A spokesperson for AT&T tells InformationWeek in a statement that they are taking steps to prevent future breaches. “Protecting our customers’ data remains one of our top priorities. Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.”

The company said it began notifying customers of the breach in March 2023. The data, the company said, did not include credit card information, Social Security Numbers, account passwords or other sensitive information.

Related:23andMe $30M Data Breach Settlement: How Valuable Is Genetic Data?

“As high-value targets, communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data," Enforcement Bureau Chief Loyaan A. Egal, who also serves as chair of the FCC’s Privacy and Data Protection Task Force, said in a statement. “… the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and fail to be responsible custodians of the data.”

This is not the first crackdown on AT&T’s data governance issues. In April, the FCC fined the company $57 million for allegedly disclosing customers’ location information to a third party without consent.

And the company’s troubles could get worse as federal regulators investigate other breaches.

Snowflake’s MFA Mea Culpa and Third-Party Risk

In July, AT&T publicly disclosed that a third-party cloud provider (identified as Snowflake by Bloomberg) was breached by the same group that used stolen Snowflake credentials to target Advance Auto, Ticketmaster, Santander Bank, Neiman Marcus, and a slew of other high-profile organizations. That AT&T breach was much broader, and impacted 73 million customers, exposing call and text metadata during several months in 2022. In all, 165 companies were impacted by the Snowflake-related breaches.

Related:Sensitive Data of Millions Stolen in MSpy Breach

As InformationWeek first reported, experts pointed to Snowflake’s lack of multifactor authentication enforcement controls as the vulnerability exploited by the hacker group that hit multiple companies. In July, the company announced that administrators could enforce and control MFA on user accounts.

With such data breaches mounting and more federal scrutiny, the IT department is under more pressure than ever.

Alex Hamerstone, advisory solutions director for cybersecurity consultancy TrustedSec, says even companies that have strong data governance are still at risk. “When you look at companies who do all the right things, they still have challenges with data,” he tells InformationWeek in a phone interview.

Part of the problem is that it’s nearly impossible to police every vendor who may have access to data, he says. “I think that the way we as organizations handle vendor due diligence is largely broken. The sea change here is that you can fine me for not making sure the third party was doing what they were supposed to do … That’s a tough situation.”

Related:‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure

The FCC’s recent decision on AT&T may be bad news for vendors such as Snowflake.

“With massive attention on this specific breach, the FCC’s decision around AT&T will set a precedent for similar incidents moving forward,” Asaf Kochan, president and co-founder of Sentra, tells InformationWeek in an email interview. “If the FCC, or another governing body, finds Snowflake made the same mistakes that AT&T made, they’ll have no other choice but to find them liable.”

How Can IT Leaders Better Defend Data?

There’s no question that CIOs, CDOs, CTOs, CISOs, and all IT leaders are under increasing pressure when it comes to data breaches and keeping sensitive information out of the hands of criminals. And with GenAI tools adding another layer of complexity, the job of security and data governance is getting more sophisticated.

“Inadequate data visibility and a lack of security posture enforcement can leave sensitive information exposed, often without detection, leading to third-party attacks,” Kochan says. “Because of this, it’s crucial to implement security measures that accurately discover where sensitive data resides and how it moves within the organization’s ecosystem. One way to do this is through GenAI … Specifically, GenAI can supercharge data security platforms … ”

Allison Sagraves, the former CDO of M&T Bank who now runs her own consultancy, says data security comes down to control. “Data is the raw material in the AI and digital age,” she says in an email interview. “Today’s digital supply chains require vigilance, risk management, and thoughtful governance in our increasingly interconnected world. Chief data officers and data leaders must implement stricter controls over their data supply chains to ensure data security meets the heightened expectations of customers, partners, and regulators.”

Sagraves says data leaders can improve data security and tighten supply chains by conducting ongoing vendor security audits, implementing risk-based vendor classification, and enforcing data security clauses in contracts.

TrustedSec’s Hamerstone says auditing third parties is crucial. “As a company, you need a lot of data management programs and then have mechanisms to audit and assess if data has been removed.”

He adds, “Data is the new oil it’s so valuable.”