The Federal Communications Commission (FCC) has announced a $31.5 million settlement with T-Mobile following multiple data breaches that exposed the personal information of millions of U.S. consumers.
These breaches, which occurred in 2021, 2022, and 2023, included incidents involving an API vulnerability and a sales application breach.
As part of the settlement, T-Mobile is required to invest $15.75 million in cybersecurity improvements and pay an additional $15.75 million as a civil penalty to the U.S. Treasury. In addition to the financial penalties, the telecom giant has agreed to enhance its security practices by adopting modern cybersecurity measures, such as zero-trust architecture and multi-factor authentication to help prevent future breaches.
“Mobile networks are prime targets for cybercriminals, and consumers’ data is far too valuable and sensitive to receive anything less than the best protection,” said FCC Chairwoman Jessica Rosenworcel. “We will continue to send a clear message to service providers that they need to strengthen their systems or face serious consequences.”
Under the terms of the agreement, T-Mobile has committed to improving its data security and privacy practices by addressing key vulnerabilities, adopting stronger cyber hygiene practices, and implementing modern security frameworks. Specific measures include:
- Regular updates on cybersecurity from the Chief Information Security Officer to the board of directors to ensure oversight and governance.
- Implementing data minimization and secure data disposal processes to limit the amount of customer information collected and retained.
- Enhancing monitoring of critical network assets to prevent misuse.
- Moving towards a zero-trust architecture, improving network segmentation for enhanced security.
- Subjecting information security practices to independent third-party audits.
- Expanding multi-factor authentication across all systems to mitigate the risk of data breaches tied to stolen or leaked credentials.
Loyaan A. Egal, Chief of the FCC’s Enforcement Bureau, emphasized the critical nature of this settlement, stating, “Telecom service providers like T-Mobile operate at the intersection of national security and consumer protection. They must make significant technical changes to safeguard their networks and prevent future compromises of sensitive consumer data.”
The FCC’s Privacy and Data Protection Task Force, formed in 2023 by Chairwoman Rosenworcel, played a major role in this settlement. Similar actions were taken in 2024, with the FCC reaching settlements with AT&T ($13 million) and Verizon’s subsidiary TracFone Wireless ($16 million) over cybersecurity incidents.
In a broader crackdown on data breaches, the FCC also imposed nearly $200 million in fines on the nation’s largest wireless carriers in April 2024 for unauthorized sharing of customer location data. This followed a 2020 investigation culminating in significant fines for AT&T, Sprint, T-Mobile, and Verizon.
In February 2024, the FCC further updated its data breach reporting rules, requiring telecom companies to notify customers of breaches involving their personally identifiable information within 30 days. This move highlights the FCC’s ongoing commitment to protecting consumer privacy in an increasingly digital age.
