FCC Fines T-Mobile More Than $15 Million for Data Breaches
The company agreed to improve data security practices and invest another $15 million in the effort.
Jake Neenan
WASHINGTON, Sept. 30, 2024 – T-Mobile agreed to improve its data security practices and pay a more than $15 million fine to end federal investigations into multiple data breaches.
The Federal Communications Commission was investigating a 2021 hack in which more than 76 million people had personal information stolen and a 2023 incident in which a misconfiguration allowed an outside actor to access account data for 37 million customers through the company’s API, plus two smaller breaches likely resulting from phishing attacks.
“Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections,” FCC Chairwoman Jessica Rosenworcel said in a statement. “We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”
On top of the fine, the company agreed to spend at least another $15.75 million to improve cybersecurity over the next two years.
T-Mobile also committed to a number of other provisions, including segmenting its network to limit the “blast radius” of a given breach, more secure authentication methods for employees, and more oversight of virtual network operators that provide service on T-Mobile’s infrastructure, among other things. The company agreed to designate a senior executive to monitor those efforts and to pay for two third-party audits of its compliance with the terms of the settlement.
“Implementing these practices will require significant – and long overdue – investments. To do so at T-Mobile’s scale will likely require expenditures an order of magnitude greater than the civil penalty here,” the agency wrote in an order adopting its consent decree with the company.
The agreement expires in three years.
“We take our responsibility to protect our customers’ information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so,” a T-Mobile spokesperson told Broadband Breakfast.
The FCC reached a similar settlement with AT&T on September 17, in which the company agreed to a $13 million fine and a plan to more thoroughly screen its vendors. The agency is still investigating a larger breach from AT&T.