AT&T has agreed to pay $13 million to settle a federal investigation into whether the mobile phone service provider failed to protect customer information in connection with a data breach last year, the Federal Communications Commission said Tuesday.  

The FCC's probe focused on how AT&T's privacy, cybersecurity and vendor management practices may have played a role in the January 2023 breach, in which hackers penetrated the company's cloud system. The breach exposed data belonging to nearly 9 million wireless customers. 

As part of the settlement, AT&T entered a consent decree that requires the telecommunications giant to enhance its data governance practices, increase its supply chain integrity, and ensure appropriate processes and procedures in handling sensitive data.

Before the cyberattack, AT&T relied on a third-party vendor to host customer data. The user information exposed in the hack, including the number of lines on a customer's account and billing information from 2015 through 2017, should have been deleted well before the breach, according to the FCC. The sensitive information did not include customers' bank information, Social Security numbers or account passwords.

"The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches," FCC Chairwoman Jessica Rosenworcel said in a statement. "Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that's the case no matter which provider a customer chooses.

FCC Enforcement Bureau Chief Loyaan A. Egal also said telecom firms "have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data."

AT&T has been subject to subsequent breaches, including an April cyberattack it disclosed in July in which hackers "nearly all" of its cellular customers' text and call records for a six-month period between May 1, 2022 to Oct. 31, 2022.

For its part, AT&T told CBS News that "protecting our customers' data remains one of our top priorities."

AT&T said that when a vendor it previously used was breached, its own wireless customer data was exposed. 

"Though our systems were not compromised in this incident, we're making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors' data management practices," a spokesperson said.