AT&T left your data in the cloud until it got hacked, instead of deleting it when it should have

by · Android Police

Key Takeaways

  • AT&T failed to protect customer data, leading to a major breach in 2024, exposing millions of call and text records.
  • Failure to ensure vendor compliance led to the data breach and exposed details of nearly 9 million AT&T Mobility customers from 2015 to 2017.
  • AT&T settled for $13 million with the FCC, agreeing to implement better data handling practices to prevent future breaches.

AT&T isn’t having the best year. An SEC filing revealed in July 2024 that the carrier suffered a major data breach, exposing millions of its customers' call and text records to hackers. In April, AT&T also admitted that the data of its customers — specifically from 2019 or earlier — may have been compromised in a data breach. While data breaches are common and sometimes unavoidable, new information reveals AT&T could have prevented your data from getting hacked, but it didn’t.

AT&T allegedly failed to protect customers' data when its cloud vendor was hacked in January 2023, per a statement from the FCC (via Ars Technica). AT&T hired the vendor to create and host personalized video content, like billing and marketing videos, for its customers. According to AT&T’s contracts, the vendor was supposed to return or destroy customer info when it was no longer needed, which should have happened years before the breach. The FCC said AT&T not only failed to make sure the vendor protected the customer data but also didn’t ensure it was returned or destroyed as required by the contract.

Related

Complete list of AT&T MVNO carriers

Reach out and touch someone with one of these MVNOs

The data breach exposed information on nearly 9 million AT&T Mobility customers. The leaked data included subscriber details from 2015 to 2017, like the number of phone lines on an account, but didn’t include sensitive details like Social Security or credit card numbers.

AT&T should have deleted data in 2018

Related

AT&T paid a king's ransom to a hacker with everyone's call logs, records indicate

The carrier may have paid over $300,000

15

The FCC said AT&T gave the vendor its customer data between 2015 and 2017, and the contract required the carrier to have that data “securely destroyed or deleted” by 2018. The data remained in the vendor's cloud environment for around five years and was ultimately exposed. While AT&T hasn't admitted any wrongdoing, it agreed to settle for $13 million to resolve the FCC’s claims (PDF).

As part of the settlement, AT&T also agreed to improve its data handling practices and put in place specific procedures for managing customer info going forward, which will probably cost a lot more than the $13 million fine.