T-Mobile reaches $31.5 million settlement with FCC over past data breaches 

Telecom giant T-Mobile will pay a $31.5 million fine to settle investigations with the Federal Communications Commission for past data breaches that exposed the personal data of millions of customers.

While half of that total will take the form of a traditional fine, the other half will be invested into fulfilling a consent decree mandating that T-Mobile put in place a series of mandatory data security and cybersecurity improvements over the next two years.

Those include implementing phishing-resistant multifactor authentication protections throughout the company, segmenting its network to limit the data exposure in future breaches, adopting regular data minimization and deletion procedures and submitting to third-party security audits. The company must also designate and empower a chief information security officer to provide regular briefings to the board of directors.

In a statement, FCC Chair Jessica Rosenworcel said mobile networks remain high-value targets for cybercriminals, and telecoms like T-Mobile must design their cybersecurity programs accordingly.

“Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections,” Rosenworcel said. “We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”

The breaches covered by the settlement occurred in 2021, 2022 and 2023, through cyberattacks that were “varied in their nature, exploitations, and apparent methods of attack,” according to the consent decree.

In 2021, a malicious hacker was able to gain access to T-Mobile’s lab environment by impersonating a legitimate connection to an unnamed piece of equipment. The actor was able to guess the passwords for a number of servers and move laterally throughout the network, eventually stealing personal data like names, addresses, Social Security numbers and driver’s license ID numbers from tens of millions of past and current customers.

A year later, the telecom suffered another breach when a malicious actor used SIM-swapping, phishing and other methods to gain access to the company’s internal platform for managing mobile resellers who sell to T-Mobile customers.

Another incident in early 2023 involved the use of phished account credentials for dozens of T-Mobile retail employees to access a sales application set up during the COVID-19 pandemic to allow for remote viewing of customer data.

Finally, in January 2023, a misconfigured application programming interface allowed a threat actor to access personal customer data for 37 million current customers.

“This consent decree is a resolution of incidents that occurred years ago and were immediately addressed,” a T-Mobile spokesperson said in an email to CyberScoop. “We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.”

While T-Mobile will be able to use half the settlement — $15,750,000 — to pay for the security improvements, that is likely to represent only a small portion of the total investment the telecom will be expected to make in the coming years.

“Implementing these practices will require significant — and long overdue — investments. To do so at T-Mobile’s scale will likely require expenditures an order of magnitude greater than the civil penalty here,” the consent decree states.

Within six months, the company must have a compliance plan in place to satisfy the terms of the settlement. That includes an information security plan that accounts for the size and complexity of T-Mobile and its operations and a detailed set of requirements for segmenting its networks.

The company must segment its network in a way that would “reasonably” ensure that only authorized communication channels are opened between segments, conduct risk assessments for those channels, separate production and non-production environments, document and monitor open firewall ports and implement compensating controls to better protect sensitive information.

The CISO must also be more than a figurehead, and the decree specifies that the position “must possess or have access to the authority, reporting lines, independence, resources, education, qualifications, and experience” needed to effectively carry out the company’s information security program.