T-Mobile store exterior showing FCC settlement for data breaches

T-Mobile FCC Settlement: $31.5 Million Going Toward Penalty for Data Breaches, Cybersecurity Improvements

T-Mobile has reached a settlement that wraps up federal investigations into multiple large-scale data breaches that occurred between 2021 and 2023. The FCC settlement will essentially be split into two payments of $15.75 million, with one being a civil penalty and the other going toward a required internal investment in cybersecurity improvements.

The carrier has been plagued by a string of damaging data breaches, kicked off by a massive theft of 76 million records of personal information including some Social Security and driver’s license numbers in 2021. The cybersecurity upgrade portion of the FCC settlement will see it implement improved multi-factor authentication for employees and zero trust architecture across its environment. The company CISO will also be required to submit regular reports to the FCC board regarding its cybersecurity posture and anticipated risks.

Seemingly annual T-Mobile data breaches addressed by FCC

T-Mobile has seemingly had annual data breaches since 2018, but the new FCC settlement addresses just those that took place in the post-Covid period (and that involved the largest total count of customer records).

The first and largest of these data breaches, which took place in 2021, was eventually found to have impacted some 76 million former, current and prospective T-Mobile customers. The records mostly consisted of first and last names paired with dates of birth, but some contained much more sensitive information such as Social Security and driver’s license numbers. A subset of nearly one million active prepaid service customers also had their phone numbers and account PIN numbers exposed. The breach was the result of a criminal attack and some of the stolen information was spotted for sale on the dark web.

A hacking group claimed that they further breached T-Mobile at least 100 times in 2022, by phishing company employees to gain access to internal tools and then using these on a for-hire basis to perform SIM swaps for other criminal actors. These criminals offered the service through Telegram and it was sporadic, but available for as much as weeks at a time from mid-2022 into early 2023. 2023 also saw several additional data breaches, the largest of which exposed 37 million customer records via the compromise of an API by a hacker.

T-Mobile is third among the “big three” wireless carriers in the United States, with about 120 million customers. The company attempted to stem the bleeding in 2022 with the announcement of a $150 million cybersecurity improvement, coinciding with it reaching a $350 million settlement in a class action suit brought by customers impacted by the prior data breaches. That program, which was scheduled to run through July 2024, did not appear to have much effect in stopping the numerous serious incidents that took place in 2022 and 2023.

FCC settlement renews questions about T-Mobile’s security posture

FCC Chairwoman Jessica Rosenworcel noted that mobile networks should expect to be “top targets” for cyber attackers due to the amount of customer data they hold, and thus should be expected to maintain “the best” cybersecurity protections. Loyaan A. Egal, Chief of the FCC’s Enforcement Bureau, added that carriers must also consider national security concerns as nation-state hacking teams target critical infrastructure (most recently seen with reports of China’s state hackers infiltrating US ISPs). A Privacy and Data Protection Task Force was established in 2023 after similar FCC settlements from AT&T and Verizon, who each have dealt with their own data breaches.

It remains to be seen if T-Mobile’s security changes will stick this time, but the company is now under order to implement certain new measures. In addition to internally implementing zero trust and improved MFA, the FCC settlement consent decree also requires the company to segment its networks and establish regular third-party information security audits. It must also establish or improve its data minimization, data inventory, and data disposal processes to protect customer information, and track critical network assets to detect misuse or potential compromise that could lead to more data breaches.

The FCC settlement also notes that the mandatory investment is very unlikely to cover the actual cost of implementing all of these measures, and that T-Mobile will likely have to spend much more money in the coming years to stay in compliance. The company will have to detail this strategy in a compliance plan due within six months. It will also have to implement more stringent hiring requirements for its CISO per the terms of the consent decree, requiring them to have the “education, qualifications, and experience” necessary to carry out this plan. It is unclear if this means changes at the position are forthcoming; Jeff Simon took over in May 2023 after having previously served in the role at Fidelity National Information Services.