September 18, 2024 at 03:31PM
The Federal Communications Commission fined AT&T $13 million and ordered it to tighten privacy and security practices following a third-party compromise. The commission extended consumer protections to the cloud and found AT&T responsible for failing to oversee third-party provider Snowflake, which was compromised, exposing sensitive data. AT&T must improve security controls and vendor oversight.
Based on the meeting notes, the key takeaways are:
1. The Federal Communications Commission fined AT&T $13 million and ordered it to tighten up its privacy and security practices in response to a third-party compromise.
2. The commission extended consumer protections to the cloud under the Communications Act of 1934, as AT&T failed to maintain proper oversight of the third-party provider, Snowflake, which was compromised in January 2023.
3. AT&T acknowledged that nearly all its customers were impacted by exfiltrated call and text records, phone numbers, and other personally identifiable information following the Snowflake breach.
4. Following an investigation, the FCC ruled that Snowflake should have been required to “destroy or return” the information years prior to the incident, finding AT&T responsible for failing to appropriately protect its customer data.
5. The FCC expects carriers to meet the requirements of the Communications Act of 1934 and the Commission’s rules, including taking “every reasonable precaution” to protect customers’ proprietary or personal information, specifically in relation to cloud security, data retention, and disposal.
6. In addition to the fine, the FCC ordered AT&T to improve its overall information security controls and practices, including “multifaceted vendor controls and oversight.”