T-Mobile US has agreed to a $31.5 million settlement with the FCC following a series of data breaches that affected millions of customers between 2021 and 2023. The settlement includes a $15.75 million fine and a commitment to spend an additional $15.75 million on improving cybersecurity over the next two years.
Key points of the settlement include:
- Appointing a chief information security officer who will report to the board of directors.
- Implementing a zero-trust security framework and network segmentation.
- Adopting phishing-resistant multi-factor authentication across networks and systems.
- Improving data minimization and disposal processes.
- Conducting independent third-party assessments of security practices.
The settlement addresses four major security incidents since 2021, including:
- A 2021 breach affecting 76.6 million customers’ data.
- A 2022 intrusion into a management platform for MVNO resellers.
- Two separate incidents in 2023 involving stolen credentials and an API misconfiguration.
T-Mobile claims to have already addressed these issues and is committed to strengthening its cybersecurity program. The FCC emphasizes the importance of protecting consumer data in mobile networks, which are increasingly targeted by cybercriminals.
This settlement follows the FCC’s recent update to reporting rules, requiring telcos to disclose security breaches within seven days of discovery.