T-Mobile has agreed a $15.75m settlement with the US Federal Communications Commission (FCC) for multiple cybersecurity incidents that led to millions of customers’ data being breached.
The civil penalty relates to a series of incidents in 2021, 2022 and 2023, which have all been subject to FCC investigations.
Timeline of T-Mobile Data Breaches
- In August 2021, T-Mobile revealed that a threat actor gained access to its systems, which exposed the personal data, including Social Security numbers, of 7.8 million current T-Mobile customers and approximately 40 million former and prospective customers. In 2022, the company agreed to pay $350m to settle a class action claim relating to the breach.
- In late 2022, an attacker gained unauthorized access to a management platform that T-Mobile provides to its mobile virtual network operator, which contained customer data. One of a number of tactics attackers used in this instance was a phishing attack on a T-Mobile employee.
- In May 2023, T-Mobile revealed that a malicious actor had accessed hundreds of customer accounts between late February and March 2023. The attack enabled the attackers to view certain customer data, including customer proprietary network information. The threat actor obtained access by stealing the account credentials of several dozen T-Mobile retail employees.
- In January 2023, T-Mobile admitted that tens of millions of customers had their personal and account information accessed by a malicious actor via an API. Human error led to a misconfiguration in permissions settings that allowed a threat actor to submit queries and obtain T-Mobile customer account data.
FCC Chairwoman, Jessica Rosenworcel, commented: “Today’s mobile networks are top targets for cybercriminals. Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”
Read now: AT&T Agrees $13m FCC Settlement Over Cloud Data Breach
T-Mobile Agrees to Major Cybersecurity Investment
In addition to the civil penalty, which will be paid to the US Treasury, the mobile communications firm has agreed to separately invest the same amount, $15.75m, to improve its cybersecurity posture.
This investment will address foundational security vulnerabilities, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multi-factor authentication (MFA).
Additionally, T-Mobile’s CISO will give regular updates to the board concerning the company’s cybersecurity posture and business risks posed by cybersecurity.
The FCC said these commitments are enforceable.
Image credit: m_sovinskii / Shutterstock.com