Mon Sep 30 23:28:16 UTC 2024: ## T-Mobile to Pay $31.5 Million for Cybersecurity Lapses After Multiple Data Breaches

**WASHINGTON, D.C.** – T-Mobile US will pay a hefty $31.5 million to settle allegations of repeated cybersecurity failures that compromised the personal data of millions of customers. The Federal Communications Commission (FCC) announced the settlement today, accusing the telecommunications giant of violating the Communications Act of 1934 by failing to adequately protect customer information.

The settlement requires T-Mobile to pay a $15.75 million civil penalty to the US Treasury and invest an additional $15.75 million over the next two years to strengthen its cybersecurity program. This includes implementing stronger security measures, training employees on cybersecurity best practices, and upgrading its IT infrastructure.

The FCC alleges that T-Mobile suffered at least seven security breaches in the past five years, resulting in the theft and leaking of sensitive customer data on dark web marketplaces. While the settlement covers four specific incidents dating back to 2021, the FCC notes that T-Mobile’s scale will likely require significant and ongoing investment to effectively address cybersecurity vulnerabilities.

In a statement, T-Mobile acknowledged the settlement and emphasized its commitment to protecting customer data. The company claims it has already made significant investments in bolstering its cybersecurity program and will continue to do so. However, the settlement does not include any admission of wrongdoing by T-Mobile.

The FCC’s investigation found that the breaches involved various tactics by attackers, including exploiting vulnerabilities in T-Mobile’s systems, impersonating legitimate connections, guessing passwords, and utilizing stolen employee credentials. In one instance, a misconfigured API allowed attackers to access and steal data from 37 million accounts.

FCC Chair Jessica Rosenworcel highlighted the importance of strong cybersecurity protections for mobile networks, calling consumer data “too important and too sensitive to receive anything less than the best cybersecurity protections.”

The settlement comes on the heels of new FCC reporting rules requiring telecommunications companies to disclose data breaches to the public within seven days of discovery. This rule was implemented in February following a series of high-profile data breaches, including a recent incident involving Verizon that affected over 63,000 employees.

Read More