T-mobile reaches $31.5m settlement with FCC over cybersecurity breaches

The company must invest $15.75m to strengthen its cybersecurity and pay a penalty of $15.75m to the US Treasury.

US wireless network operator T-mobile has reached a settlement with the US Federal Communications Commission (FCC) over multiple data breaches affecting tens of millions of users in recent years.

As part of the settlement announced yesterday (30 September), the telecoms company must invest $15.75m to strengthen its cybersecurity and pay a civil penalty of $15.75m to the US Treasury.

“Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections,” said FCC chair Jessica Rosenworcel.

“We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”

As part of the settlement, T-mobile has agreed to address foundational security flaws, improve cyber hygiene, adopt phishing-resistant multfactor authentication, and other measures to boost its cyber protections. The company’s chief information security officer will report regularly to the company’s board concerning its cybersecurity posture and possible business risks from cyberattacks.

T-mobile has suffered from a number of data breaches – some going back over a decade. The FCC investigation, however, looked into cybersecurity attacks between 2021 and 2023.

The FCC found that the various breaches “were varied in their nature, exploitations and apparent methods of attack”.

In January 2023, a T-mobile breach impacted roughly 37m customers where data stolen included users’ names, billing addresses, emails, phone numbers, birthdays and account numbers. The company said that the hacker behind the attack had been stealing data since November 2022.

The company also suffered cyberattacks in 2022 and 2021, with further breaches as far as back as 2009.

In response to the settlement, a T-Mobile spokesperson told GeekWire: “We take our responsibility to protect our customers’ information very seriously.

“This consent decree (settlement) is a resolution of incidents that occurred years ago and were immediately addressed.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.