T-Mobile to pay fines, pledges to up upgrade cybersecurity after repeat data breaches
The telecom giant will pay $15.75 million to the Department of Treasury and front an additional $15.75 million for cybersecurity improvements and compliance.
The Federal Communications Commission said it reached a sweeping settlement with T-Mobile in the wake of several data breaches that affected the mobile telecom services giant over the past several years, with the company agreeing to pay fines and rearrange its governance structure to better focus on cybersecurity.
As part of the agreement, T-Mobile’s chief information security officer will now deliver regular cybersecurity reports to its board of directors, the FCC said. The company will also modernize its security architecture and implement multifactor authentication tools that verify if an intruder is masquerading as a legitimate user on its systems, among other things.
It will also pay a $15.75 million civil penalty to the Treasury Department and make an additional $15.75 million investment for internal cybersecurity improvements and compliance, per terms of the settlement.
“We take our responsibility to protect our customers’ information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so,” T-Mobile said in a statement.
The legal resolution addresses “multiple cybersecurity breach investigations,” the FCC said in a statement, which added that it had opened cases into cyber incidents involving T-Mobile in 2021, 2022 and 2023.
The company last year suffered several data exposures. In 2021, it faced a major data breach that exposed millions of customers’ sensitive personal information, including social security numbers and driver’s licenses. The FCC’s Enforcement Bureau said the investigations pertained to incidents in those years in which data breaches were enabled by “criminal acts of third parties” and lists instances that prompted the investigations.
“Today’s mobile networks are top targets for cybercriminals,” FCC Chairwoman Jessica Rosenworcel said. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.”
In April, the agency fined T-Mobile and other major U.S. wireless carriers a total of $200 million for allegedly selling their customers’ location data to third parties without consent, while not taking steps to protect that info from security compromises. The companies said they would appeal the fines, arguing that they concern cybersecurity and data sharing matters the firms had rectified in the past.
The FCC has taken sweeping steps to harden telecom user data from unpermitted access. In March, it began requiring providers to notify authorities of a data breach within seven business days of discovery.