A penalty has been arrived at for T-Mobile’s headline-grabbing data breaches that took place from 2021 to 2023, with an FCC settlement of $31.5 million now in place. That payment will be split exactly in half; one part goes to a civil penalty, while the other must be put toward required cybersecurity improvements.
FCC settlement will likely cost T-Mobile even more in the long run
In concert with the Biden administration’s focus on boosting requirements for critical infrastructure companies, FCC Chairwoman Jessica Rosenworcel said that T-Mobile and its carrier competitors should be expected to have the highest levels of cybersecurity protection given the attempts they regularly face. Loyaan A. Egal, Chief of the FCC’s Enforcement Bureau, clarified that that means threats from advanced nation-state hacking groups as well as profit-seeking criminals.
The FCC settlement mandates that T-Mobile spend $17.5 million on certain security improvements, but it also notes that it will likely have to spend much more over the next few years to fully implement all of the required measures. These include improved internal multi-factor authentication for employees, network segmentation, and zero trust architecture. The company will also be required to conduct regular third-party audits to ensure compliance, and to improve its data minimization, inventory, and disposal processes.
Per the terms of the FCC settlement, T-Mobile will have to produce a compliance plan outlining how it will tackle all of this within six months. It is also required to implement stronger standards for its CISO position, though it remains unclear if that means a change is coming.
Roundup of 2021-23 T-Mobile data breaches prompts security overhaul
T-Mobile has been struggling with a chain of data breaches that dates back to 2018, but the present FCC settlement only addresses those that took place from 2021 to 2023. As it happens, those were also the largest and most serious incidents.
And in all cases, these data breaches involved an outside party hacking and stealing customer information. 76 million records were taken in 2021, with some involving very sensitive information such as Social Security numbers and account PINs. In early 2023 the company also discovered a long-term scheme by hackers that had specialized in social engineering their customer service reps to perform SIM swaps as a service offered through Telegram. 2023 saw additional data breaches, including another major exposure of 37 million customer records that stemmed from compromise of an API.
Given that it is now only one of three major mobile phone carriers in the United States, the long chain of data breaches has not threatened to put T-Mobile out of business; however, it continues to lag in customer count behind main rivals AT&T and Verizon. A previous $350 million settlement in 2022 (class action rather than an FCC settlement) was accompanied by a pledge to devote $150 million to cybersecurity improvements, but at minimum this did not appear to improve the company’s defenses in 2023 (though to be fair the company has yet to have any similar data breaches in 2024, with about three months to go).