Telecommunications giant T-Mobile has been hit to the tune of $31.5 million following an investigation into significant data breaches that took place over the course of three years.
The Federal Communications Commission (FCC) announced the settlement at the conclusion of the long running probe into the anomalies taking place from 2021 to 2023.
The $31.5 million sanction is split equally between a straightforward civil penalty and a commitment to invest in future cybersecurity measures. T-Mobile previously settled a class action lawsuit from affected customers for a reported $350 million.
T-Mobile’s ‘Foundational Security Flaws’
The FCC announced the news with a press release on Monday, focusing as much on the requirement for T-Mobile to improve its cybersecurity as it did the hefty civil penalty it had set.
It said that the FCC’s Enforcement Bureau had been investigating multiple cybersecurity incidents involving T-Mobile in 2021, 2022 and 2023 that “were varied in their nature, exploitations, and apparent methods of attack”.
This just in! View
the top business tech deals for 2024 👨💻
It found T-Mobile’s data breaches responsible for impacting millions of American cell phone users.
It also said that the company had “agreed to important forward-looking commitments to address foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multifactor authentication.”
Enforceable Commitments to Cybersecurity
In order to achieve that aim – and in addition to the $15.75 million civil penalty payable to the US Treasury – the network has agreed to pledge $15.75 million into cybersecurity investment, which would be enforceable by the terms of the settlement.
The changes to be made by T-Mobile include improvements to corporate governance, the introduction of modern zero-trust architecture, and more robust identity and access management.
As well as stabilizing T-Mobile’s own data security, the FCC was eager to point out that the settlement should also encourage other companies to ensure their processes are as protected as possible.
“Today’s mobile networks are top targets for cybercriminals,” said Jessica Rosenworcel, Chairwoman of the FCC. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.”
“We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.” – Jessica Rosenworcel, FCC Chairwoman
Compromising Sensitive Data
Loyaan A. Egal, chief of the Enforcement Bureau, said that the result of the T-Mobile investigation was a significant step forward in protecting the data millions of phone customers across the US.
“With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap. We are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data.” – Loyaan A. Egal, chief of the Enforcement Bureau
It continues a move to hold big tech companies to account for their data breaches. Only a couple of weeks ago, DNA testing company 23andme agreed to compensate data breach victims $30 million.
Household names such as Dell, U-Haul and Ticketmaster have all been implicated in major data breaches this year.