AT&T reached a $13 million settlement with the Federal Communications Commission on Tuesday to resolve the agency’s investigation into a January 2023 third-party breach that exposed data of 8.9 million customers.

The telecom operator committed to strengthening its data governance practices and supply chain security as part of the settlement, the FCC said. AT&T is required to protect, properly dispose and limit access to customer proprietary network information, the type of customer account data wireless operators collect for internal use and sell to third parties for marketing purposes.

“AT&T failed to ensure its vendor adequately protected that customer information,” Loyaan Egal, chief of the FCC’s enforcement bureau, said Tuesday in the consent decree. “Instead, it remained in the vendor’s cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed in the 2023 breach.”

AT&T’s settlement with the FCC involves a serious breach, but repeated security lapses, including a third-party breach that exposed data on nearly all of its customers, show a pattern.

AT&T said it’s no longer working with the third-party vendor involved in the January 2023 data breach, and noted the exposed data did not include credit card information, Social Security numbers or account passwords.

“Protecting our customers’ data remains one of our top priorities,” a company spokesperson said Tuesday via email.

“Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices,” the spokesperson said.

The data privacy governance improvements AT&T agreed to should have already been part of its standard process, said Zeus Kerravala, founder and principal analyst at ZK Research.

“What's the expression, fool me once, shame on you, fool me twice, shame on me?” Kerravala said.

Recurring telecom breaches accentuate pattern

AT&T is not alone in experiencing a pattern of extensive breaches exposing customer data.

T-Mobile publicly acknowledged eight data breaches between 2018 and 2023, the worst of which occurred in August 2021 and exposed the personal data of at least 76.6 million people.

Telecom network operators are a high-value target for cybercriminals in part due to the sensitive data they hold and the massive customer bases they serve. AT&T banked $3.9 billion in net income on $29.8 billion in revenue in the second quarter of 2024.

A cyberattack targeting AT&T’s Snowflake environment in April compromised data on almost all of the telecom provider’s wireless customers, nearly 110 million people.

AT&T was one of more than 100 Snowflake customers caught in a widespread identity-based attack spree targeting the cloud-based data warehouse vendor’s customers. Attackers accessed AT&T’s Snowflake environment for 11 days and stole records of customers' call and text message records spanning a six-month period from 2022.

In a separate incident in March, AT&T said it determined a data leak on the dark web included sensitive data on about 7.6 million current customers and approximately 65.4 million former customers.

“AT&T's multiple breaches should be a signal to customers that it's likely another breach will occur unless security operations are given a major facelift,” Kerravala said.

“We rely on phones to live our lives. We communicate, shop, educate, bond and entertain over mobile devices,” Kerravala said. “Customers trust AT&T to protect their data and the telecom company let them down.”