T-Mobile has been fined $60M for failing to prevent unauthorized access to sensitive data, and for further failing to report the failure.
Unusually, the fine was levied by the Committee on Foreign Investment in the US (CFIUS), and is the largest fine it has ever issued …
The Committee on Foreign Investment in the US
CFIUS has jurisdiction over T-Mobile because the carrier is majority owned by the German company, Deutsche Telekom.
The committee was formed to monitor and control the national security implications of foreign companies and other entities making business investments in the US. It has the power to block investments, to impose conditions on them, and to fine companies for any breaches of their obligations.
T-Mobile fined $60M
In T-Mobile’s case, when the company purchased Sprint back in 2020, CFIUS imposed conditions on the deal, which included ensuring that data was properly protected.
Reuters reports that the committee has found that T-Mobile breached these conditions by failing to adequately secure data, and then failing to report unauthorized access.
In the case of T-Mobile […] the unauthorized access to sensitive data occurred in 2020 and 2021, U.S. officials said […]
“The $60 million penalty announcement highlights the committee’s commitment to ramping up CFIUS enforcement by holding companies accountable when they fail to comply with their obligations,” one of the U.S. officials said, adding that transparency around enforcement actions incentivizes other companies to comply with their obligations […]
T-Mobile said in a statement that it experienced technical issues during its post-merger integration with Sprint that affected “information shared from a small number of law enforcement information requests.” It stressed that the data never left the law enforcement community, was reported “in a timely manner” and was “quickly addressed.”
CFIUS has been dramatically ramping up the fines it imposes, and T-Mobile’s fine of $60M is the largest of these.
T-Mobile told us:
Several years ago, we experienced technical issues during our post-merger integration with Sprint that affected information shared from a small number of law enforcement information requests out of the hundreds of thousands that we process each year. This was not a breach, there was no intrusion and no bad actor was involved. The noted unauthorized access was that information was sent to the wrong law enforcement agency, but it never left the law enforcement ecosystem.
We take matters like this seriously. We reported this in a timely manner, and the issue was quickly addressed. We are glad to have reached a resolution and look forward to continuing to work cooperatively with the law enforcement community to help keep the country and our customers safe.
9to5Mac’s Take
While this is a somewhat unusual case, the more penalties companies face for data security failures, the greater their incentive to protect personal data. All regulatory bodies need to ensure that the cost of failing to protect customer data is higher than the cost of implementing proper safeguards.
Photo by Alex wong on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments