Source: B Christopher via Alamy Stock Photo

The Federal Communications Commission fined AT&T $13 million and ordered it to tighten up its privacy and security practices in the wake of a catastrophic third-party compromise.

The commission also used its authority under the Communications Act of 1934 to extend consumer protections to the cloud, finding AT&T failed to maintain proper oversight of a third-party provider.

That vendor, data warehousing provider Snowflake, reportedly was compromised in January 2023, exposing a host of organizations' sensitive data, among them AT&T's. In the weeks that followed the breach, AT&T acknowledged "nearly all" its customers were affected by exfiltrated call and text records, phone numbers, and other personally identifiable information.

Following an investigation, the FCC ruled on Sept. 16 that Snowflake should have been required to "destroy or return" the information years prior to the incident, and finding AT&T responsible for failing to appropriately protect its customer data.

"The Commission expects carriers to meet the requirement of the [Communications Act of 1934] and the Commission's rules, including to take 'every reasonable precaution' to protect customers' proprietary or personal information," the agency said in its ruling. "That includes reasonable practices as they relate to cloud security, data retention, and disposal."

In addition to the fine, the FCC ordered AT&T to improve its overall information security controls and practices, including "multifaceted vendor controls and oversight."