T-Mobile to pay $16M penalty as part of cybersecurity settlement with FCC
All major wireless carriers in the U.S. are now required to invest to protect consumer data and privacy.
The Federal Communications Commission has announced what it called a “groundbreaking” data protection and cybersecurity settlement with T-Mobile to resolve the agency’s Enforcement Bureau’s investigations into “significant data breaches” that impacted millions of U.S. consumers.
As part of the settlement, the telecom carrier will invest $15.7 million to address cybersecurity issues and pay a $15.75 million civil penalty to the U.S. Treasury. T-Mobile is one of Puerto Rico’s three mobile providers, competing with Liberty Mobile and Claro Puerto Rico.
“Today’s mobile networks are top targets for cybercriminals,” said FCC Chairwoman Jessica Rosenworcel. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”
The settlement addresses multiple cybersecurity breach investigations opened by the FCC in 2021, 2022 and 2023.
The investigations found evidence of breaches that affected millions of cellphone customers, which varied in nature, exploitations and methods of attack, the agency stated.
The FCC said that to settle the investigations, T-Mobile has agreed to future commitments to address “foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multi-factor authentication.”
Under the settlement, T-Mobile has committed to:
- Corporate governance – T-Mobile’s chief information security officer will provide regular cybersecurity posture reports to the carrier’s board regarding risks posed by cybersecurity.
- Modern zero-trust architecture – T-Mobile will migrate to a zero-trust architecture and segment its networks. “This is one of the most important changes organizations can make to improve their security posture,” the FCC stated.
- Identity and access management – T-Mobile will adopt multi-factor authentication methods within its network to reduce risks of breaches and ransomware attacks.
“The wide-ranging terms set forth in today’s settlement are a significant step forward in protecting the networks that house the sensitive data of millions of customers nationwide,” said Loyaan A. Egal, chief of the FCC’s Enforcement Bureau and chair of the Privacy and Data Protection Task Force.
“With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data. We will continue to hold T-Mobile accountable for implementing these commitments,” Egal added.
Besides the T-Mobile settlement, the FCC recently secured similar “Consumer Privacy Upgrades” covering data protection, cybersecurity and consumer privacy terms with all of the largest wireless carriers in the U.S., including a September settlement with AT&T and a July settlement with Verizon.