Communications Litigation Today was a Warren News publication.
'Long Overdue'

T-Mobile Will Change Security Practices Following 3 Breaches

T-Mobile agreed it will make extensive changes in its business practices to bolster its customers' security and it will pay a nearly $15.8 million fine, the FCC said Monday. The company will spend at least that same amount strengthening its cybersecurity practices, though the carrier's costs will likely be significantly higher, the FCC said. Elements of the announced consent decree resolve separate incidents in 2021, 2022 and 2023, which the FCC Enforcement Bureau was investigating.

“Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections,” FCC Chairwoman Jessica Rosenworcel said Monday: “We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”

T-Mobile agreed it will designate a chief information security officer, who will report to its board of directors on cybersecurity matters. In addition, it will implement a “zero trust” security framework and segment its network, aimed at "limit[ing] the blast radius when a breach occurs,” the FCC said. The provider also agreed to employ “phishing-resistant multifactor authentication to secure its networks and systems” and practices limiting the amount of data stored. T-Mobile agreed to a critical asset inventory “identifying and promptly tracking critical assets on its network to prevent misuse or compromise” and to support “independent third-party assessments of … information security practices,” the FCC said.

“Implementing these practices will require significant -- and long overdue -- investments,” the regulator said.

“This consent decree is a resolution of incidents that occurred years ago and were immediately addressed,” a T-Mobile spokesperson said in an email: “We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.”

The breaches “affected millions of current, former, or prospective T-Mobile customers and millions of end-user customers of T-Mobile wireless service resellers,” the commission said. The breaches exposed customer proprietary information (PI), including names, addresses, dates of birth, Social Security numbers and customer proprietary network information (CPNI), including the features customers subscribed to and the number of lines tied to their accounts, the regulator said.

The 2021 incident alone potentially affected 7.8 million current T-Mobile customers and some 40 million former and prospective customers (see 2108180062). “We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment,” T-Mobile said at the time: “We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.”

The bureau and carrier, the decree said, “disagree about whether T-Mobile’s network and data security program and policies in place at the relevant times violated any standard of care or regulation then applicable to T-Mobile, but in the interest of resolving these investigations, and in the interest of putting consumer security first, the parties enter into this negotiated consent decree.”

“We will continue to hold T-Mobile accountable for implementing these commitments," said Enforcement Bureau Chief Loyaan Egal.

T-Mobile recently challenged at the U.S. Court of Appeals for the D.C. Circuit the FCC's 3-2 April decision (see 2404290044) fining the carrier for allegedly not safeguarding data on customers' real-time locations (see 2407090019). T-Mobile’s initial brief is due Oct. 7 (docket 24-1224).