Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

T-Mobile to Pay Millions to Settle With FCC Over Data Breaches

T-Mobile has agreed to invest $15.75 million in cybersecurity and pay $15.75 million to settle an FCC investigation into four data breaches.

T-Mobile Fined along with other wireless carriers

The Federal Communications Commission (FCC) on Monday announced a multi-million-dollar settlement with telco T-Mobile over four data breaches that affected millions of people.

According to the FCC, T-Mobile failed to protect customer personal information, provided third-parties with access to customer proprietary network information (CPNI) without customer consent, failed to protect CPNI, did not engage in reasonable information security practices, and failed to inform customers of its information security practices.

As a result of these failures, T-Mobile suffered multiple data breaches in which millions of customers had their personal information – including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and CPNI – compromised, the Commission said.

The first data breach that FCC references occurred in August 2021, when a hacker accessed database backup files and other information from T-Mobile’s network, after performing reconnaissance for months and moving laterally from one compromised system to another.

The incident impacted 76.6 million people, including current, former, and prospective T-Mobile customers, and the carrier provided them with free identity theft protection services, the FCC said.

In 2022, a threat actor used SIM swapping, phishing, and other tactics to hack into a management platform for the carrier’s mobile virtual network operator (MVNO) resellers, which contains MVNO customer information. The Lapsus$ cyber gang was likely responsible for this incident.

In early 2023, using stolen T-Mobile account credentials likely obtained through phishing attacks, a threat actor accessed a frontline sales application containing customer information, such as CPNI. The incident was discovered after customer port-out complaints spiked.

Also in early 2023, the carrier discovered that a permission misconfiguration in one of its APIs allowed a threat actor to obtain the customer account data of roughly 37 million people.

Advertisement. Scroll to continue reading.

To settle the FCC’s investigation, the telecommunications carrier has agreed to invest $15.75 million over the next two years to improve its cybersecurity practices and address identified weaknesses, and to pay a $15.75 million civil penalty.

“T-Mobile has spent significant additional resources voluntarily enhancing its security program since 2021, engaging internal and outside experts to further enhance controls and processes. T-Mobile has made major financial and operational commitments in the course of its cybersecurity transformation and in response to FCC oversight,” the FCC notes in its Consent Decree (PDF).

As part of the settlement, T-Mobile was also ordered to implement a comprehensive written information security program that includes the adoption of zero-trust architecture and network segmentation, to broadly adopt multi-factor authentication (MFA) within its environment, and to provide regular reports on its cybersecurity practices.

“We take our responsibility to protect our customers’ information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so,” T-Mobile said in an emailed statement.

*Updated with statement from T-Mobile.

Related: AT&T to Pay $13 Million in Settlement Over 2023 Data Breach

Related: Equifax Releases Security and Privacy Controls Framework

Related: T-Mobile Settles to Pay $350M to Customers in Data Breach

Related: The Big Pentagon Internet Mystery Now Partially Solved

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.