(David Ryder/Bloomberg via Getty Images)
T-Mobile has agreed to bolster its cybersecurity after suffering data breaches in 2021, 2022, and 2023, according to a settlement with US regulators.
On Monday, the FCC announced a deal to settle its investigation into past data breaches, which ensnared over 76 million people during the 2021 breach.
The FCC called the deal “groundbreaking” in terms of data protection because it’ll require T-Mobile to adopt best practices in the cybersecurity industry. Specifically, the company will need to implement a “a modern zero trust architecture,” segment its internal networks, and institute multi-factor authentication for all employees.
In addition, the FCC is fining the carrier $15.8 million, but the money will go to the US Treasury. T-Mobile also has to commit “spending an additional $15,750,000 over the next two years to strengthen its cybersecurity program” — a relatively small sum for a company that made $8.3 billion in net income last year.
Even so, the commission expects T-Mobile will ultimately need to spend a fortune to bring its cybersecurity practices up to the requirements of the settlement. “Implementing these practices will require significant—and long overdue—investments,” the FCC says. “To do so at T-Mobile’s scale will likely require expenditures an order of magnitude greater than the civil penalty here.”
The announcement arrives more than a year after T-Mobile previously vowed to spend $150 million to revamp its data security. In 2021, the carrier suffered a breach after a hacker discovered an unprotected T-Mobile router on the open internet, which allowed him to steal personal information —such as names, addresses, Social Security numbers and dates of birth— for 76.6 million people.
In 2022, other cyber criminals were able to steal T-Mobile customer data by using a phishing attack and a SIM swap to gain access to company employee accounts. In 2023, hackers struck again by using stolen account credentials to access a T-Mobile sales application and by exploiting misconfigured permissions in a company API.
The FCC now says its settlement is designed to prevent future intrusions and minimize the reach of a breach if T-Mobile is ever hacked again. “We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences,” FCC Chairwoman Jessica Rosenworcel said in the announcement.
In response to the settlement, T-Mobile said: "We take our responsibility to protect our customers’ information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so."
Users hoping to receive compensation will need to bank on a class-action lawsuit. In 2022, T-Mobile agreed to a $350 million settlement for the 2021 data breach. However, it looks like the settlement is still going through the courts for final approval.