FCC Orders T-Mobile to Pay $31.5 Million for Data Breaches Affecting Millions of Customers

The Federal Communications Commission (FCC) has reached a settlement with T-Mobile for $31.5 million, stemming from a string of data breaches that occurred in 2021, 2022, and 2023. This significant settlement is a direct result of the company’s failure to safeguard customer data, allowing unauthorized access to sensitive information, and neglecting to implement adequate security measures.

The Breaches

The first incident occurred on August 21, 2021, when a hacker gained access to T-Mobile’s network, compromising customer data such as names, addresses, dates of birth, social security numbers, driver’s license numbers, device identifiers, and account PINs.

In late 2022, another threat actor successfully breached the management platform for T-Mobile’s mobile virtual network operators (MVNOs), obtaining customer information.

In early 2023, a cybercriminal stole T-Mobile account credentials and accessed a frontline sales application, allowing them to view certain customer data.

Additionally, a misconfigured permissions setting in January 2023 allowed a threat actor to obtain customer account data.

Cybersecurity Measures

As part of the settlement, T-Mobile is required to spend $15.75 million over the next two years to improve its cybersecurity program and implement a compliance plan to protect consumers from similar breaches in the future.

The company will also designate a Chief Information Security Officer who will report to the Board of Directors on cybersecurity issues. T-Mobile aims to adopt a zero-trust security framework to reduce the impact radius of breaches and implement phishing-resistant multifactor authentication (MFA) to bolster the security of its network.

Independent third-party assessments of its information security practices will also be conducted.

FCC’s Stance

The FCC calls this settlement “groundbreaking,” hoping it will send a message to other companies that there will be consequences for failing to beef up their systems. The Commission previously settled with Verizon’s TracFone for $16 million and AT&T for $13 million for resolving breach investigations.

With T-Mobile’s continued growth through acquisitions, it’s now responsible for a larger amount of customer data, emphasizing the importance of a robust security system.

Quote

“The wide-ranging terms set forth in today’s settlement are a significant step forward in protecting the networks that house the sensitive data of millions of customers nationwide. With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data. We will continue to hold T-Mobile accountable for implementing these commitments.”

— Loyaan A. Egal, Chief Enforcement Bureau and Chair Privacy and Data Protection Task Force, September 2024