The Federal Communications Commission (FCC) has settled with T-Mobile after a series of major data breaches exposed sensitive personal information of millions of consumers between 2021 and 2023.
The settlement follows multiple investigations into whether the company failed to protect customer data, used or disclosed it without proper authorization, and misrepresented the security measures in place.
The breaches were varied, including unauthorized access to company systems through phishing attacks and the exploitation of vulnerabilities in network infrastructure.
“The Bureau and T-Mobile disagree about whether T-Mobile’s network and data security program and policies in place at the relevant times violated any standard of care or regulation then applicable to T-Mobile, but in the interest of resolving these investigations, and in the interest of putting consumer security first, the parties enter into this negotiated consent decree,” the order stated.
The settlement says the negotiated consent decree prioritizes improved consumer protection by ensuring that the company strengthens its cybersecurity practices despite its disagreements with the FCC.
T-Mobile is required to implement several key security measures to prevent future breaches. These include adopting a zero-trust security model, which will better protect internal networks by limiting unauthorized access, and implementing phishing-resistant multi-factor authentication.
Additionally, T-Mobile is required to minimize its collection of customer data and promptly delete unnecessary information.
The company will designate a chief information security officer who will report regularly to the board of directors about cybersecurity risks.
This settlement is part of a broader push by the FCC to tighten cybersecurity standards across the wireless industry, the agency said.
“Today’s mobile networks are top targets for cybercriminals,” FCC Chairwoman Jessica Rosenworcel said in a statement. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.
“We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”
The FCC said it will closely monitor T-Mobile’s compliance, requiring the company to report data breaches involving more than 500 consumers within 48 hours of confirmation.
Additionally, third-party assessments will be conducted to evaluate the effectiveness of T-Mobile’s cybersecurity improvements, according to the agency.