T-Mobile pays $16 million fine for three years’ worth of data breaches

T-Mobile has agreed to pay a $15.75 million fine and improve its security in a settlement over a series of data breaches over three years that affected tens of millions of customers.

"T-Mobile suffered data breaches in 2021, 2022, and 2023," the Federal Communications Commission Enforcement Bureau said in an order approving a consent decree yesterday. "Combined, these breaches affected millions of current, former, or prospective T-Mobile customers and millions of end-user customers of T-Mobile wireless service resellers, which operate on T-Mobile's network infrastructure and are known as mobile virtual network operators (MVNOs)."

Four breaches occurring over three years exposed personal information, including customer names, addresses, dates of birth, Social Security numbers, driver's license numbers, the features customers subscribed to, and the number of lines on their accounts.

The FCC investigated T-Mobile for several potential violations: failure to meet its legal duty to protect confidentiality of private information; impermissibly using, disclosing, or permitting access to private information without customer approval; failure to take reasonable measures to discover and protect against attempts to gain unauthorized access to private information; unjust and unreasonable information security practices; and making misrepresentations to customers about its information security practices.

"To settle these investigations, T-Mobile will pay a civil penalty of $15,750,000 and commit to spending an additional $15,750,000 over the next two years to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future," the FCC said.

FCC touts “strong message” to carriers

The fine will be paid to the US Treasury. The FCC Enforcement Bureau said the security improvements that T-Mobile agreed to "will likely require expenditures an order of magnitude greater than the civil penalty here." T-Mobile reported $19.8 billion in revenue and $2.9 billion in net income in Q2 2024.

In a press release, the FCC touted the settlement as "a model for the mobile telecommunications industry." T-Mobile will "address foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multifactor authentication," the agency said.

"Today's mobile networks are top targets for cybercriminals... We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences," FCC Chairwoman Jessica Rosenworcel said.

T-Mobile entered into the settlement despite not agreeing with the FCC's accusations. "The Bureau and T-Mobile disagree about whether T-Mobile's network and data security program and policies in place at the relevant times violated any standard of care or regulation then applicable to T-Mobile, but in the interest of resolving these investigations, and in the interest of putting consumer security first, the parties enter into this negotiated consent decree," the agreement said.

Biggest breach led to $350M settlement

In the 2021 incident, a criminal hacker "was able to gain access to a T-Mobile lab environment via a piece of telecommunications equipment by impersonating a legitimate connection to the piece of equipment," the consent decree said. The hacker exploited the initial access to gain entry into other parts of the network and obtain information on tens of millions of current and former customers.

The breach included "first and last names, addresses, dates of birth, Social Security numbers, and driver’s license numbers of 7.8 million current T-Mobile customers and approximately 40 million former, and prospective customers," the FCC said. Another 8 million people were affected but had fewer types of information exposed.

T-Mobile previously agreed to a $350 million settlement of a class-action lawsuit filed over the 2021 breach. Updates on payments to class members will be posted on a settlement website.

Another breach involving customer information happened in late 2022 when a threat actor gained unauthorized access to a T-Mobile management platform that MVNO resellers use to provision services to their customers, the consent decree said. The threat actor gained access using "an illegal SIM swap of a T-Mobile employee, a phishing attack on another T-Mobile employee, and at least one compromise of unknown origin."

The third breach covered in the consent decree occurred in early 2023 when "a threat actor used stolen T-Mobile account credentials to access a frontline sales application for which remote access had been enabled to maintain operations during the COVID-19 pandemic." The threat actor was able to "view certain customer data, including a limited amount of CPNI [Customer Proprietary Network Information]."

"T-Mobile became aware of the breach in late February 2023, when the Company noticed an increase in customer port-out complaints," the consent decree said. "The Company launched an investigation that, on or about March 30, 2023, revealed that a threat actor had obtained the account credentials for several dozen T-Mobile retail employees. T-Mobile believes that the threat actor obtained those credentials through a targeted phishing campaign."

Misconfigured permissions led to another breach

The fourth breach was also in early 2023 and is described as the "Application Programming Interface (API) Incident." The consent decree said:

Human error led to a misconfiguration in permissions settings that allowed a threat actor to submit queries and obtain T-Mobile customer account data. The API was able to access a limited set of certain customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features. T-Mobile's investigation indicated that the threat actor obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.

The consent decree will remain in effect for three years. The FCC said the requirements include "designating a Chief Information Security Officer who will report regularly to the Board of Directors on cybersecurity matters... moving towards a 'zero trust' security framework and segmenting its network to limit the blast radius when a breach occurs,... implementing phishing-resistant multifactor authentication (MFA) to secure its networks and systems,... adopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information,... identifying and promptly tracking critical assets on its network to prevent misuse or compromise,... [and] conducting independent third-party assessments of its information security practices."

T-Mobile issued a statement saying it has "made significant investments in strengthening and advancing our cybersecurity program and will continue to do so."