T-Mobile will be paying a fine of $31.5 million to end investigations into multiple data breaches. Half of the amount will have to be spent on improving cybersecurity.
T-Mobile to pay a fine for previous data breaches
The US Federal Communications Commission (FCC) has ordered T-Mobile US to pay a $31.5 million penalty. The fine is reportedly part of a settlement between the two over a string of breaches that occurred between 2021 and 2023.
T-Mobile suffered multiple data breaches in the aforementioned years. Multiple reasons, including enabling remote access to a frontline sales application, allowed hackers to compromise the security of the company.
T-Mobile customer data including names, addresses, dates of birth, social security numbers, driver’s license numbers, device identifiers, and account PINs, have been exposed. The latest data breach occurred in 2023. Concerningly, it was T-Mobile’s fault as the company had misconfigured permissions settings. This allowed hackers to obtain customer account data.
As a collective penalty for these breaches, T-Mobile will pay a $31.5 million fine to the FCC. Interestingly, half of the penalty will revert to T-Mobile for ramping up the cybersecurity of its operations.
How will T-Mobile improve cybersecurity?
The FCC is calling this settlement “groundbreaking.” The agency hopes its actions will send a message to other carriers that there will be consequences if they don’t beef up their systems.
Of the $31.5 million, $15.75 million will go to the United States Treasury. The company will have to spend the other half of the amount to improve its cybersecurity program.
T-Mobile has two years to implement a compliance plan designed to protect consumers from similar breaches in the future. As part of the process, T-Mobile will designate a Chief Information Security Officer, who will report to the Board of Directors on cybersecurity issues.
T-Mobile will also conduct independent third-party assessments of its information security practices. This could involve hiring cybersecurity experts who try to break into the company’s secure networks and alert companies about any potential weak spots or vulnerabilities.
The telecom company will reportedly adopt and implement a “zero-trust security framework”. Additionally, employees and customers may have to adopt Multifactor Authentication (MFA), which may involve OTPs, secure keys, and other technologies for secondary authentication.
