One-half of this settlement amount or $15.75 million will be poured back into the company as a cybersecurity investment. The fund will be used to shake out its security flaws and increase resilience to cyber threats. The rest is a civil penalty.
The breaches impacted millions of customers across the US, prompting the FCC to open an investigation into whether the company failed to meet its duty to safeguard customer data, allowed access to individually identifiable customer proprietary network information (CPNI) without customer consent, and had lax security practices.
The breaches
The first incident occurred on August 21, 2021, when a hacker accessed the company’s network and customer data such as name, address, date of birth, social security number, driver’s license number, device identifier, and account PIN.Another threat actor successfully gained access to the management platform for T-Mobile‘s mobile virtual network operator (MVNO)s that contains customer information in late 2022.
In early 2023, a cybercriminal stole T-Mobile account credentials and got their hands on a frontline sales application for which remote access had been enabled during the COVID-19 pandemic, allowing them to view certain customer data.
In January 2023, a misconfigured permissions setting allowed a threat actor to obtain customer account data.
The civil penalty will be paid to the United States Treasury and T-Mobile is required to spend $15,750,000 over the next two years to improve its cybersecurity program and implement a compliance plan to protect consumers from similar breaches in the future.
T-Mobile is going to designate a Chief Information Security Officer who will report to the Board of Directors on cybersecurity issues. It also aims to adopt a zero trust security frame work to reduce the impact radius of breaches and implement a phishing-resistant multifactor authentication (MFA) to bolster the security of its network.
The company has also decided to conduct independent third-party assessments of its information security practices.
The FCC calls this settlement “groundbreaking,” and hopes that it will send a message to other companies that there will be consequences if they don’t beef up their systems. The Commission previously settled with Verizon‘s TracFone for 16 million and AT&T for $13 million for resolving breach investigations.
With T-Mobile steadily acquiring more companies to grow its customer base, it’s now in position of more data than before, which underscores the importance of a a watertight security system.
The wide-ranging terms set forth in today’s settlement are a significant step forward in protecting the networks that house the sensitive data of millions of customers nationwide. With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data. We will continue to hold T-Mobile accountable for implementing these commitments.
Loyaan A. Egal, Chief Enforcement Bureau and Chair Privacy and Data Protection Task Force, September 2024