A succession of T-Mobile data breaches saw millions of customers have their personal data exposed. The company has now been fined $15.75M, and has agreed to spend the same amount again on upgrading its security.
The Federal Communications Commission (FCC) says that the combination of fine and promised security enhancements represents a model for future handling of such incidents …
T-Mobile data breaches
The summer of 2021 saw a huge T-Mobile security breach, exposing the personal data from more than 100 million customers. This included sensitive data needed for identity theft, like home address and date of birth. Another breach followed later the same year, along with others in 2022 and 2023.
The company admitted to a further breach in January of this year, impacting 37 million customers. Then yet another one in May, in which social security numbers were compromised.
Carrier fined, and commits to security upgrades
The FCC reached what it calls a “groundbreaking” settlement with T-Mobile in respect of three of these cases.
The Federal Communications Commission today announced a groundbreaking data protection and cybersecurity settlement with T-Mobile to resolve the Enforcement Bureau’s investigations into significant data breaches that impacted millions of U.S. consumers.
To settle the investigations, T-Mobile has agreed to important forward-looking commitments to address foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multi- factor authentication. The Commission believes that implementation of these commitments, backed by a $15.75 million cybersecurity investment by the company as required by the settlement, will serve as a model for the mobile telecommunications industry.
As part of the settlement, the company will also pay a $15.75 million civil penalty to the U.S. Treasury.
Separately, T-Mobile was recently fined $60M by a less well-known government body for failing to prevent unauthorized access to sensitive data, and for further failing to report the failure.
Other recent security stories:
- Up to 600 million Facebook and Instagram passwords stored in plain text
- Security Bite: A brief history of Apple’s legal fight with NSO
- Data leak affecting everyone in the US, UK, and Canada was even worse than we thought
FTC: We use income earning auto affiliate links. More.
Comments