20.5k unique visitors in the last 3 days

AT&T Agrees to Pay USD13mn Settlement for 2023 Data Breach

There are always more privacy breaches by AT&T but the excuses remain the same and the penalties remain light.

This article is about AT&T and the penalty it agreed for the breach which occurred in January 2023 involving the personal data of 9 million people. This particular data breach should not be confused with the AT&T breach made public in March 2024 involving the personal data of 73 million people or the AT&T breach made public in May 2024 involving the personal data “of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network”. The US Federal Communications Commission (FCC) decided the January 2023 breach merited AT&T handing over USD13mn in cash and making a bunch of promises and agreeing to audits which essentially mean AT&T will start doing things they should have been doing anyway. According to the FCC this represents a ‘privacy upgrade’…

In 2023, FCC Chairwoman Rosenworcel established the Privacy and Data Protection Task Force, an FCC staff working group focused on coordinating across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches… Thanks to the work of the Task Force and a renewed focus on consumer protections more broadly under Chairwoman Rosenworcel, the Commission secured similar “Consumer Privacy Upgrades” covering beneficial data protection, cybersecurity, and consumer privacy terms with the largest wireless carriers, including today’s AT&T settlement…

Readers will have to look at the detail of the FCC’s findings and decide for themselves if USD1.46 for every individual whose data was breached represents a fair deal for both AT&T and the public who are put at risk every time their personal data is obtained by criminals. AT&T will say they are not really to blame because a vendor who handled the data failed to satisfy the terms of their contract. This kind of argument seems to be taken seriously by the FCC, even though AT&T should have checked if their vendor performed as expected. If telcos are not held liable for the bad behavior of suppliers that manage data on their behalf then they could easily eliminate any responsibility for data protection by writing contracts that imply suppliers are responsible for everything.

Long-serving readers will remember that blaming other companies for data breaches is a common theme for AT&T. Some may even remember that the same rationalization was proferred in 2015, when AT&T and FCC reached a then-record settlement of USD25mn for a breach involving offshored call centers that affected 280,000 AT&T customers. The data involved in that breach was more sensitive, but what the FCC now describes as a ‘privacy upgrade’ looks more like treading water when observing the number of breaches that have occurred over time. Regulators in most countries tend to increase penalties when the same rules are repeatedly broken by the same business. AT&T has had two more serious data breaches since the one covered by this latest settlement, begging the question of whether penalties are being geared up to motivate necessary change.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email