close
close

T-Mobile will pay $31.5 million in FCC compensation for four data breaches

T-Mobile will pay .5 million in FCC compensation for four data breaches

T-Mobile will pay .5 million in FCC compensation for four data breaches

The Federal Communications Commission (FCC) has announced a $31.5 million settlement with T-Mobile over multiple data breaches that compromised the personal information of millions of U.S. consumers.

This agreement resolves the FCC Enforcement Bureau's investigations into multiple cybersecurity incidents and resulting data breaches that impacted T-Mobile's customers in 2021, 2022 and 2023 (an API incident and a distribution application breach).

As part of the settlement, the telecommunications provider must invest $15.75 million in cybersecurity improvements and pay an additional $15.75 million civil penalty to the U.S. Treasury Department.

The company is also committed to implementing more robust security measures, including adopting modern cybersecurity frameworks such as zero trust architecture and multi-factor authentication that resist phishing attacks.

“Today’s mobile networks are top targets for cybercriminals. Consumer data is too important and far too sensitive to receive anything less than the best cybersecurity protection,” said FCC Chairwoman Jessica Rosenworcel.

“We will continue to make it clear to providers entrusted with this sensitive information that they must strengthen their systems or there will be consequences.”

As part of the agreement, T-Mobile committed to improving privacy, data security and cybersecurity practices by addressing fundamental security vulnerabilities, improving cyber hygiene and adopting robust modern architectures by:

  • Providing the Board with regular cybersecurity updates from the company's Chief Information Security Officer to ensure better oversight and governance,
  • Implement data minimization, data inventory and data disposal processes to limit the collection and retention of customer information,
  • Detect and track critical network resources to prevent misuse or compromise,
  • We are working to implement a modern zero trust architecture and segment our networks to improve security.
  • Assessment of information security practices through independent third-party audits,
  • Introducing multi-factor authentication across all enterprise systems to prevent security risks related to data leaks, theft, and the sale of stolen credentials.

“As companies like T-Mobile and other telecommunications service providers operate in an area where national security and consumer protection interests intersect, we are focused on ensuring that critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and to “To help prevent future threats.” “Americans’ sensitive data,” added Loyaan A. egal, head of the FCC’s Enforcement Bureau.

The FCC's Privacy and Data Protection Task Force, established by Chairwoman Rosenworcel in 2023, played a central role in the investigation and settlement, just as it did when the FCC made similar settlements with AT&T in September 2024 (December 13, 2024). million US dollars) and Verizon on behalf of its subsidiary TracFone Wireless achieved in July 2024 (16 million US dollars).

Additionally, in April 2024, the FCC fined the largest U.S. wireless carriers nearly $200 million for sharing their customers' real-time location data without their consent.

The April collection orders completed the apparent liability notices (NAL) issued in February 2020 against AT&T, Sprint, T-Mobile and Verizon and imposed multimillion-dollar fines on each of the four wireless carriers: $12 million for Sprint and $80 million for T-Mobile (the two carriers have merged since the investigation began), more than $57 million for AT&T and a nearly $47 million fine for Verizon.

In February, the FCC also updated its data breach notification rules to require telecommunications companies to report data breaches affecting their customers' personal information within 30 days.

Leave a Reply

Your email address will not be published. Required fields are marked *