FCC Orders T-Mobile to Spend $15.7 Million on Cybersecurity

T-Mobile must spend nearly $15.8 million on its cybersecurity infrastructure to atone for three data breaches it has suffered in the last three years, in addition to fine of the same size it must pay to the U.S. government.

The Federal Communications Commission (FCC) announced its settlement with T-Mobile for incidents that occurred in 2021, 2022 and 2023. The FCC wrote in a 24-page consent decree that T-Mobile failed to keep customer information confidential, disclosed and permitted access to customer information and did not adequately attempt to find and mitigate threat actors that were attempting to obtain customer information. Moreover, the FCC enforcement bureau states that T-Mobile "engaged in unjust and unreasonable information security practices; and ... made misrepresentations to its customers regarding its information security practices."

FCC's Jessica Rosenworcel

“Today’s mobile networks are top targets for cybercriminals,” FCC chairwoman Jessica Rosenworcel said. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”

Related:T-Mobile Making $4.4 Billion UScellular Acquisition

T-Mobile Data Breaches

T-Mobile's three big data breaches in the last few years are well-documented.

In 2021, a threat actor impersonated a "legitimate connection" on a piece of telecommunications equipment to access a T-Mobile lab environment. This person obtained personal information on more than 40 million customers who had applied for credit with T-Mobile.

In 2022, T-Mobile fell victim to the Lapsus$ extortion group, which accessed internal systems using stolen credentials.

In 2023, someone used stolen credentials to obtain customer data through a frontline sales application.

Cybersecurity Requirements

The FCC will require T-Mobile to invest almost $15.8 million on cybersecurity over the next two years. The Commission outlined six areas of improvement for T-Mobile's "privacy, data security and cybersecurity" posture.

First, T-Mobile must appoint a chief information security officer that reports to the board of directors.

The company must ensure also ensure a number of technological elements: zero-trust architecture, identity and access management (IAM), data minimization and deletion and critical asset inventory. T-Mobile must also conduct third-party security assessments.

This isn't the first time T-Mobile has been ordered to improve its cybersecurity. In a 2021 class-action lawsuit settlement, T-Mobile agreed to put $150 million into cybersecurity 2022 and 2023, in addition to a $350 million payout.

Related:Verizon-Frontier Acquisition: Partners, Analysts Mixed on Reaction

“The wide-ranging terms set forth in today’s settlement are a significant step forward in protecting the networks that house the sensitive data of millions of customers nationwide,” said Loyaan Egal, chief of the FCC's Enforcement Bureau. “With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data. We will continue to hold T-Mobile accountable for implementing these commitments.”