T-Mobile has agreed to a $31.5 million settlement with the Federal Communications Commission (FCC) regarding its response to multiple data breaches that occurred within the company. This settlement, announced by the FCC on Monday, includes a $15.75 million civil penalty to be paid to the U.S. Treasury and a commitment from T-Mobile to address foundational security flaws by implementing a zero-trust architecture, network segmentation, and multi-factor authentication (MFA).
In addition to the civil penalty, T-Mobile will also be making a separate $15.75 million security investment over the next two years. According to the FCC’s press release, this investment is intended to set a standard for the mobile telecommunications industry and pave the way for improved security practices across the board.
Further details of the settlement are outlined in a consent decree published by the FCC, which includes specific requirements for T-Mobile moving forward. These requirements include appointing a chief information security officer to report security matters to the board of directors, implementing data minimization and disposal processes, conducting independent third-party assessments, and inventorying critical assets.
The FCC’s decision to investigate and settle with T-Mobile comes in the wake of several high-profile data breaches that have affected the company in recent years. These breaches include incidents where customer data was stolen by threat actors, source code theft by cybercriminal groups, and the compromise of sensitive personal information belonging to millions of T-Mobile customers.
In response to the settlement, Loyaan Egal, Chief of the Enforcement Bureau at the FCC and chair of the Privacy and Data Protection Task Force, emphasized the importance of making critical technical changes to improve national cybersecurity and prevent future compromises of sensitive data. FCC Chairwoman Jessica Rosenworcel echoed this sentiment, stressing the need for telecom carriers to prioritize cybersecurity measures to protect consumer data.
A spokesperson for T-Mobile reiterated the company’s commitment to securing customer information and highlighted the significant investments that have been made in strengthening their cybersecurity program. The company expressed a dedication to ongoing security efforts to safeguard customer data and prevent future breaches.
Overall, the settlement between T-Mobile and the FCC represents a significant step towards improving cybersecurity practices within the telecommunications industry. By holding companies accountable for data protection and implementing necessary security measures, both regulatory bodies and telecom providers alike are working towards a more secure and resilient infrastructure to safeguard consumer information.