T-Mobile Reaches $31.5 Million Settlement With FCC Over Data Breaches

All three major U.S. wireless carriers have settled with the Federal Communications Commission to make investments to protect consumer data and privacy.
T-Mobile Reaches $31.5 Million Settlement With FCC Over Data Breaches
The T-Mobile logo on a storefront in Boston, on Oct. 14, 2022. Michael Dwyer/AP Photo
Chase Smith
Updated:
0:00

The Federal Communications Commission (FCC) has settled with T-Mobile after a series of major data breaches exposed sensitive personal information of millions of consumers between 2021 and 2023.

On Sept. 30, the FCC’s Enforcement Bureau announced that T-Mobile will pay a $15.75 million civil penalty to the U.S. Treasury and commit another $15.75 million to bolster its cybersecurity defenses.

The settlement follows multiple investigations into whether the company failed to protect customer data, used or disclosed it without proper authorization, and misrepresented the security measures in place.

According to the FCC’s consent decree, T-Mobile suffered significant breaches over several years, compromising names, Social Security numbers, driver’s license details, and other personal information of millions of customers, as well as users of mobile virtual network operators (MVNOs) that operate on T-Mobile’s network.

The breaches were varied, including unauthorized access to company systems through phishing attacks and the exploitation of vulnerabilities in network infrastructure.

“The Bureau and T-Mobile disagree about whether T-Mobile’s network and data security program and policies in place at the relevant times violated any standard of care or regulation then applicable to T-Mobile, but in the interest of resolving these investigations, and in the interest of putting consumer security first, the parties enter into this negotiated consent decree,” the order stated.

The settlement says the negotiated consent decree prioritizes improved consumer protection by ensuring that the company strengthens its cybersecurity practices despite its disagreements with the FCC.

T-Mobile is required to implement several key security measures to prevent future breaches. These include adopting a zero-trust security model, which will better protect internal networks by limiting unauthorized access, and implementing phishing-resistant multi-factor authentication.

Additionally, T-Mobile is required to minimize its collection of customer data and promptly delete unnecessary information.

The company will designate a chief information security officer who will report regularly to the board of directors about cybersecurity risks.

This settlement is part of a broader push by the FCC to tighten cybersecurity standards across the wireless industry, the agency said.

Similar agreements were reached on June 25 with Verizon and on Sept. 17 with AT&T following investigations into their data security issues.

“Today’s mobile networks are top targets for cybercriminals,” FCC Chairwoman Jessica Rosenworcel said in a statement. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.

“We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”

The FCC said it will closely monitor T-Mobile’s compliance, requiring the company to report data breaches involving more than 500 consumers within 48 hours of confirmation.

Additionally, third-party assessments will be conducted to evaluate the effectiveness of T-Mobile’s cybersecurity improvements, according to the agency.

Chase Smith
Chase Smith
Author
Chase is an award-winning journalist. He covers national news for The Epoch Times and is based out of Tennessee. For news tips, send Chase an email at [email protected] or connect with him on X.
twitter