Published on: October 3, 2024
T-Mobile will pay $31.5 million to settle investigations by the Federal Communications Commission (FCC) over a series of data breaches that exposed the personal information of millions of US consumers, the agency announced Monday.
The settlement includes a $15.75 million civil penalty, which T-Mobile will pay to the US Treasury. Additionally, the Bellevue, Washington-based telecom giant will invest another $15.75 million into bolstering its cybersecurity defenses, including adopting advanced security measures like zero trust architectures and phishing-resistant multi-factor authentication.
In its announcement, the FCC highlighted the importance of these steps, describing them as “a model for the mobile telecommunications industry” and crucial for protecting consumer data.
The FCC’s Enforcement Bureau launched investigations into T-Mobile’s cybersecurity practices following data breaches that occurred in 2021, 2022, and 2023. The breaches affected millions of customers and involved various methods of attack. Details on the breaches have not been fully disclosed, but FCC Chairwoman Jessica Rosenworcel emphasized the seriousness of the issue, noting the growing threat posed by cybercriminals.
“Today’s mobile networks are top targets for cybercriminals,” Rosenworcel said in a statement. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”
T-Mobile responded to the settlement, stating: “We take our responsibility to protect our customers’ information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.”
The FCC’s Privacy and Data Protection Task Force, created by Rosenworcel in 2023, played a key role in investigating T-Mobile and negotiating the settlement. The task force aims to hold mobile carriers accountable for safeguarding customer data amid increasing cyber threats.
This settlement is part of a broader push by the FCC to crack down on telecom providers failing to protect consumer data. Earlier this year, the agency reached similar settlements with AT&T, which paid $13 million, and Verizon’s TracFone, which agreed to a $16 million settlement.
T-Mobile has faced mounting legal and regulatory challenges over its cybersecurity practices. In July 2022, the company paid $350 million to settle class-action lawsuits following an August 2021 cyberattack that affected 76 million customers. With the latest FCC settlement, T-Mobile aims to strengthen its defenses and reassure customers of its commitment to data protection.