KEY TAKEAWAYS

  • T-Mobile is investing $15.75MM in cybersecurity upgrades as part of a settlement with the FCC, also paying the same amount in civil penalties.
  • The settlement follows several data breaches from 2021 to 2023, exposing sensitive customer information like social security numbers and driver’s licenses.
  • T-Mobile also agreed to adopt zero-trust architecture and multi-factor authentication, with its CISO reporting cybersecurity risks to the board to prevent future breaches.

Most carriers are not very good at protecting their users’ data. In 2023, AT&T compromised the data of millions of Americans, and the FCC even fined the carrier earlier this month for not handling data responsibly. T-Mobile is not an exception either. Data breaches at the company in recent years have leaked the social security numbers, addresses, and driver’s license numbers of millions of its users. However, the FCC now wants T-Mobile to start investing more in cybersecurity infrastructure and try not to get hacked so often.

The FCC has announced a “groundbreaking data protection and cybersecurity” settlement with T-Mobile, which clears up several investigations involving cybersecurity incidents at the company in 2021, 2022, and 2023 (via The Verge). As part of the settlement, T-Mobile has promised to address foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multifactor authentication.

The company will also have to pay the US Treasury $15.75 million in civil penalties, which is the same amount it’s investing in its internal cybersecurity. Plus, T-Mobile’s Chief Information Security Officer will regularly update the board on T-Mobile’s cybersecurity status and any business risks tied to it.

The commission says this settlement will serve as a model for the industry, adding: “With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data. We will continue to hold T-Mobile accountable for implementing these commitments.”

Carriers are on hackers’ radar these days

T-Mobile sign hanging in an office building.

In the last two years, there have been a number of data breaches hitting major carriers. T-Mobile kicked things off with a massive breach in early 2023, where hackers stole data from around 37 million customers. In September, rumors of another breach popped up, but T-Mobile shut them down. Then in June, it got hit by another security incident of a similar scale, though the company blamed a third party for it.

AT&T’s also been a regular target and apparently paid over $300,000 to a hacker for access to everyone’s call logs. Carriers like Mint Mobile and Verizon have also had their fair share of breaches lately.