September 18, 2024 AT&T has agreed to pay a $13 million fine following a significant data breach that exposed information of 8.9 million wireless customers. This incident highlights the growing risks of supply chain attacks and the importance of robust data management practices, especially when working with third-party vendors.

AT&T shared customer bill information with a vendor to create personalized videos between 2015 and 2017.  The data was supposed to be destroyed by 2018, but remained in the vendor’s cloud environment for years. In January 2023, threat actors accessed the vendor’s cloud, exfiltrating AT&T customer information.

The FCC criticized AT&T for failing to ensure the vendor adequately protected the data and properly destroyed it when no longer needed.  

This breach underscores the vulnerabilities in the supply chain, where a company’s data security is only as strong as its weakest vendor.

As part of the settlement, AT&T must implement stricter controls on sharing data with vendors, including improved due diligence, enhanced vendor oversight, and annual compliance audits.

This case serves as a warning to other companies about the importance of managing data throughout its lifecycle, even when in the hands of third-party vendors.

This incident demonstrates how supply chain vulnerabilities can lead to significant data breaches, affecting millions of customers. It emphasizes the need for companies to take a more proactive approach in managing data security across their entire ecosystem of partners and vendors.