T-Mobile reaches $31.5M breach settlement with FCC

T-Mobile reached a $31.5 million settlement with the Federal Communications Commission over the telecom giant's handling of multiple data breaches.

Under the settlement, which the FCC announced on Monday, T-Mobile will pay a $15.75 million civil penalty to the U.S. Treasury and is required to "address foundational security flaws" while implementing a zero-trust architecture, network segmentation and MFA.

As part of the settlement, T-Mobile will make a separate $15.75 million security investment to be spent over the next two years. According to the press release, the FCC intends for the investment to "serve as a model for the mobile telecommunications industry."

The FCC on Monday also published a consent decree, which includes further details surrounding the settlement. The decree also requires T-Mobile to designate a chief information security officer to report relevant security matters to the board of directors; to adopt "data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information"; to inventory critical assets; and to conduct independent third-party assessments.

"Implementing these practices will require significant -- and long overdue -- investments. To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here. The Commission will hold T-Mobile accountable for making these mandatory changes to comply with statutory and regulatory obligations going forward and to ensure that T-Mobile does not create unnecessary cybersecurity risk for others through its business practices (e.g., mergers and acquisitions and facilities-based services for MVNOs)," the decree read. "When organizations that have data on individuals fail to act as responsible stewards for this data, they externalize the costs onto everyday Americans."

The FCC's investigation and settlement follows several high-profile data breaches at T-Mobile in recent years. In January 2023, the mobile carrier disclosed a breach in which threat actors stole select personal data belonging to 37 million customer accounts. In early 2022, the company suffered a source code theft at the hands of then-prolific cybercriminal group Lapsus$. In 2021, threat actors stole customer names, addresses, Social Security numbers and government ID numbers in an attack affecting more than 40 million customer accounts.

"With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans' sensitive data," said Loyaan Egal, Chief of the Enforcement Bureau at the FCC as well as chair of the Privacy and Data Protection Task Force, in the press release. "We will continue to hold T-Mobile accountable for implementing these commitments."

FCC Chairwoman Jessica Rosenworcel similarly emphasized the stakes of threat actors targeting telecom carriers in the press release.

"Consumers' data is too important and much too sensitive to receive anything less than the best cybersecurity protections," she said. "We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences."

A T-Mobile spokesperson shared a statement with TechTarget Editorial in which the company affirmed its responsibility to secure customer data and stated that T-Mobile will continue to make significant security investments.

We take our responsibility to protect our customers' information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.