Important points
- T-Mobile is investing $15.75 million in cybersecurity upgrades as part of its settlement with the FCC and is also paying a civil penalty of the same amount.
- The settlement follows multiple data breaches from 2021 to 2023 that exposed sensitive customer information such as Social Security numbers and driver's licenses.
- T-Mobile also adopted a zero trust architecture and multi-factor authentication, and agreed to have its CISO report cybersecurity risks to its board of directors to prevent future breaches.
Most carriers aren't very good at protecting their users' data. In 2023, AT&T breached the data of millions of Americans, and earlier this month the FCC fined the carrier for not handling data responsibly. T-Mobile is no exception. A recent data breach at the company exposed millions of users' social security numbers, addresses, and driver's license numbers. But the FCC is now requiring T-Mobile to increase investment in its cybersecurity infrastructure and work to prevent it from being hacked more frequently.
FCC announces “landmark data protection and cybersecurity” settlement with T-Mobile, clearing several investigations into cybersecurity incidents at the company in 2021, 2022, and 2023 (From The Verge). As part of the settlement, T-Mobile committed to addressing fundamental security flaws, improving cyber hygiene, and adopting a robust modern architecture including zero trust and phishing-resistant multi-factor authentication. .
The company must also pay $15.75 million in civil penalties to the U.S. Treasury, an amount equal to its internal cybersecurity investments. Additionally, T-Mobile's Chief Information Security Officer regularly updates the Board of Directors on T-Mobile's cybersecurity status and related business risks.
The commission said the settlement would serve as a model for the industry, adding: “Companies like T-Mobile and other communications service providers operate in areas where national security and consumer protection interests overlap, so we want to ensure that significant technological changes are made.” We are focused on improving the national cybersecurity posture and preventing future breaches of sensitive data transmitted to American citizens' telecommunications networks. We remain responsible to T-Mobile for fulfilling these commitments. ”
Recently, carriers have attracted the attention of hackers
Over the past two years, there have been a number of data breaches that have hit major carriers. T-Mobile started things off in early 2023 with a massive breach in which hackers stole data from approximately 37 million customers. Another breach rumor surfaced in September, but T-Mobile shut it down. A similar security incident occurred in June, but the company blamed it on a third party.
AT&T is also a regular target and appears to have paid hackers more than $300,000 to access everyone's call records. Carriers like Mint Mobile and Verizon have also seen their fair share of breaches recently.