T-Mobile agrees to multi-million dollar settlement with FCC over data breaches

This comes after multiple cybersecurity breach investigations by the regulator – it opened cases into incidents involving the operator in 2021, 2022, and 2023.  These investigations related to breaches ‘which affected millions of cell phone customers, were varied in their nature, exploitations, and apparent methods of attack.’ 

T-Mobile has agreed to measures to ‘address foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures’, such as zero trust and phishing-resistant multi-factor authentication, says the FCC.

The settlement will see T-Mobile spend $15.75 million on upgrading cybersecurity, as well as also pay a $15.75 million civil penalty to the US Treasury.

“The wide-ranging terms set forth in today’s settlement are a significant step forward in protecting the networks that house the sensitive data of millions of customers nationwide,” said Loyaan A Egal, Chief of the Enforcement Bureau and Chair of the Privacy and Data Protection Task Force.

“With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data.  We will continue to hold T-Mobile accountable for implementing these commitments.”

The concessions include T-Mobile committing to have its Chief Information Security Officer give regular reports to the board concerning the firm’s ‘cybersecurity posture’ and business risks posed by cybersecurity, moving toward a ‘modern zero trust architecture’ and segmenting its networks, as well as adopting multi-factor authentication methods within its network.

FCC Chairwoman Jessica Rosenworcel added: “Today’s mobile networks are top targets for cybercriminals. Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.  We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”

In 2023 T-Mobile revealed that a hacker exploited an application programming interface (API) to gain unauthorised access to customer information. It believed it commenced around 25 November the previous year, but it apparently didn’t learn it was under attack until 5 January.

Earlier in August 2021, the operator revealed that a hacker had accessed information pertaining to 7.8 million existing customers, and more than 40 million former and prospective customers – a figure which was subsequently revised upwards to around 76.6 million.