In a recent settlement with the Federal Communications Commission (FCC) announced on September 17th, AT&T has agreed to pay $13 million following a major data breach that exposed customer proprietary network information (CPNI) stored in a vendor’s cloud environment. This is the second major breach to surface for AT&T this year. nGuard covered the first back in July, which affected almost all 110 million AT&T customers. Although the breaches compromised different types of data, they both spotlight ongoing challenges in securing data and prioritizing privacy.
Breakdown of the Breach
In January 2023, cybercriminals breached a vendor’s cloud environment used by AT&T for marketing content, accessing customer names, account numbers, and contact details—though no sensitive information like Social Security numbers was compromised. The incident shows the risk of relying on third-party providers without strict security controls. The FCC found AT&T had failed to enforce vendor compliance with data disposal requirements after contracts ended, prompting scrutiny of the company’s privacy, cybersecurity, and vendor management practices.
The Financial and Operational Fallout
AT&T’s hefty settlement with the FCC is just one small part of their response to the breach. The telecom giant has also committed to implementing several robust security measures, including enhanced tracking of data, vendor controls, a comprehensive information security program, and annual compliance audits.
However, the settlement also reveals larger issues in cloud security—particularly the role of cloud providers in safeguarding customer data. As more organizations move critical infrastructure to the cloud, they must recognize the importance of rigorous oversight of third-party vendors, especially in industries that handle sensitive customer information.
Implications for Cloud and Vendor Security
This settlement raises questions about the broader security challenges that come with outsourcing data management to vendors. While cloud environments offer flexibility and scalability, they can also increase the attack surface, making sensitive data more vulnerable if not properly managed.
To address this, companies must implement comprehensive data governance programs and demand better security protocols from their vendors, such as strong access controls and data encryption policies. A key takeaway from the AT&T breach is the importance of tracking and auditing vendor data retention policies and ensuring proper data disposal practices are followed to minimize exposure.
Proactive Security Measures from nGuard
This breach is not an isolated event, as TracFone, one of Verizon’s subsidiaries, also recently reached a $16 million settlement with the FCC back in July. To prevent similar incidents, nGuard offers a range of services designed to help you mitigate the risks associated with cloud environments and vendor management:
- Cloud Security and Configuration Audits: Examine your cloud infrastructure for misconfigurations and vulnerabilities, such as inadequate vendor oversight or weak data retention policies, to ensure compliance with industry best practices.
- Vulnerability Scanning: Regular scans to identify potential weaknesses in your systems and networks before attackers can exploit them.
- External and Internal Penetration Testing: Simulate real-world attacks on your organization’s infrastructure to uncover vulnerabilities, including those within cloud environments and vendor systems.
- Cybersecurity Incident Response: Should a breach occur, our experts are ready to help you quickly contain, investigate, and recover from security incidents.
- Managed SIEM: Continuous monitoring of network and cloud environments to detect and respond to potential security threats in real-time.
- Simulations and Education: Prepare your employees through social engineering followed by security awareness training to recognize phishing attempts, a common attack vector in cloud and vendor-related breaches.
- Strategic Gap Assessments: Evaluate your security posture and identify areas of improvement, including vendor management and cloud security practices.
The $13 million AT&T settlement serves as a reminder of the risks associated with third-party cloud vendors. By improving data governance, enhancing vendor controls, and adopting dynamic security approaches, businesses can mitigate the threat of future breaches. nGuard’s comprehensive suite of cybersecurity services ensures that your cloud and vendor environments remain secure, protecting your business and your customers.
