T-Mobile has finalized a $15.75 million settlement with the US Federal Communications Commission (FCC) following multiple cybersecurity incidents between 2021 and 2023. The series of data breaches compromised sensitive customer data, prompting the FCC investigation and subsequent penalty. This agreement includes an additional $15.75 million investment in cybersecurity measures to enhance the company’s defence against future breaches.
In August 2021, T-Mobile announced that a threat actor had infiltrated its systems, accessing the personal data, including Social Security numbers, of 7.8 million current customers and around 40 million former and prospective customers. As a result, T-Mobile agreed to a $350 million settlement to resolve a class-action lawsuit related to this breach.
Further incidents occurred in late 2022 when attackers gained unauthorized access to customer data through a management platform that T-Mobile’s mobile virtual network operators (MVNOs) used. The breach was executed through phishing attacks targeting T-Mobile employees. Another breach, disclosed in early 2023, resulted in unauthorized access to hundreds of customer accounts after attackers stole login credentials from retail employees. Additionally, in January 2023, an API misconfiguration exposed millions of customers’ personal and account information, enabling unauthorized queries of T-Mobile’s systems.
The FCC investigation found that T-Mobile failed to implement sufficient measures to protect customer proprietary network information (CPNI), which includes personal details such as names, Social Security numbers, and account information. The FCC cited violations of the Communications Act of 1934, which obliges telecommunications carriers to safeguard CPNI.
The FCC further alleged that T-Mobile did not take adequate steps to prevent unauthorized access to CPNI and allowed improper use or disclosure of such data without customer approval. The company was also accused of misrepresenting its security practices to its customers. In light of these findings, a settlement was reached to resolve these issues.
As the digital world expanded, so did the opportunities for cybercriminals. In the early 2000s, cybercrime surged. Hackers targeted people, businesses, and even governments.
Beyond the civil penalty, T-Mobile has committed to bolstering its cybersecurity infrastructure with a $15.75 million investment. The company will adopt a zero-trust security model, segment its network to reduce damage in case of future breaches, and implement phishing-resistant multi-factor authentication (MFA) to enhance security. In addition, T-Mobile will improve its data management practices, including data minimization, inventory control, and proper data disposal to limit the exposure of customer data.
T-Mobile has also appointed a Chief Information Security Officer (CISO) responsible for reporting cybersecurity risks and progress to the Board of Directors. Independent third-party assessments will be conducted regularly to ensure that the company’s security practices are compliant and effective.
T-Mobile’s $15.75 million settlement with the FCC underscores the growing importance of cybersecurity in today’s digital age. As cybercriminals increasingly target mobile networks, telecommunications providers must prioritize customer data protection. T-Mobile’s commitment to enhancing its security measures, along with regular oversight, is a step toward preventing future breaches and protecting customer trust.
The breaches were caused by a combination of phishing attacks, unauthorized access through misconfigured systems, and stolen employee credentials.
Over 7.8 million current customers, as well as approximately 40 million former and prospective customers, were affected by the breaches.
CPNI, or Customer Proprietary Network Information, includes sensitive details such as names, Social Security numbers, and account data. This information was exposed during the breaches.
T-Mobile is investing $15.75 million in cybersecurity, including adopting zero-trust architecture, implementing phishing-resistant MFA, and enhancing data management practices.
The CISO is responsible for overseeing T-Mobile’s cybersecurity efforts, reporting directly to the Board of Directors, and ensuring regular assessments of security practices.