T-Mobile US To Cough Up $31.5M After That Long String Of Security SNAFUs

T-Mobile US has agreed to fork out $31.5 million to improve its cybersecurity and pay a fine after a string of network intrusions affected millions of customers between 2021 and 2023.

Specifically, the telco has entered a legal settlement [PDF] with the FCC today that requires the carrier to pay a $15.75 million civil penalty to the US Treasury, and also spend $15.75 million over the next two years on its infosec program, including:

• Designating a chief information security officer who will report regularly to the board of directors.
• Building a zero-trust security framework and segmenting its network.
• Implementing phishing-resistant multi-factor authentication across its networks and systems.
• Adopting data minimization, inventory, and disposal processes to limit the amount of customer information it collects and retains.
• Identifying and monitoring critical assets on its network.
• Conducting independent third-party assessments of its information security practices. 

The settlement was reached after the FCC formally accused T-Mo of breaking its obligations under the Communications Act of 1934, which require carriers to do such outlandish things as protecting customers' information from theft and having in place reasonable cybersecurity defenses.

"Implementing these practices will require significant - and long overdue - investments," the FCC's settlement notes. "To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here." 

By our count, the un-carrier has suffered at least seven IT security breaches over a five-year period, resulting in tens of millions of customers' data being stolen and leaked on dark web marketplaces. That said, the settlement officially covers four SNAFUs since 2021.

When asked about the deal, a T-Mobile US spokesperson told The Register the telco was already trying to shore up its computer security:

As far as we can tell, T-Mo has admitted no wrongdoing in settling this case.

As outlined in the agreement, the first of the privacy breaches occurred in 2021. At that time, a criminal gained access to a T-Mo environment remotely, and ultimately stole a ton of sensitive personal and device information, including PINs, belonging to 76.6 million current, former, and prospective T-Mobile customers.

The FCC goes into some detail about that data theft:

A year later, a crook broke into a management platform that T-Mobile US provides to its mobile virtual network operator (MVNO) resellers using a few different tactics, including an illegal SIM swap involving a T-Mo employee and a phishing attack against another employee.

• AT&T, Verizon, Sprint, T-Mobile US fined $200M for selling off people's location info
• FCC reminds US mobile carriers that customer data needs to be protected
• FCC gets tough: Telcos must now tell you when your personal info is stolen

Then in 2023, a miscreant used stolen T-Mob account credentials to access a sales application and view customer data. The un-carrier clocked this privacy breach after an increase in customer port-out complaints. An internal investigation revealed the attacker had stolen credentials belonging to "several dozen" retail employees, and these are believed to have been swiped in a phishing campaign.

And in a separate 2023 incident, T-Mobile US discovered a data security breach involving one of its APIs. "Human error led to a misconfiguration in permissions settings that allowed a threat actor to submit queries and obtain T-Mobile customer account data," the settlement says. Using this API, the data thieves stole a "limited set" of full customer account data along with about 37 million post- and pre-paid customer accounts.

"Today's mobile networks are top targets for cybercriminals," FCC boss Jessica Rosenworcel said in a statement [PDF]. "Consumers' data is too important and much too sensitive to receive anything less than the best cybersecurity protections." 

To this end, the FCC in February issued updated reporting rules that require telcos in America to officially disclose that a criminal has broken into their systems within seven days of discovering the intrusion.

The new FCC rule came just days after Verizon began notifying more than 63,000 people, mostly current employees, that someone had gained illicit access to their personal information. ®