September 30, 2024 at 06:05PM
T-Mobile US has agreed to pay a $31.5 million settlement after a series of cybersecurity breaches affecting millions of customers. The agreement requires the company to invest in its information security program, including appointing a chief information security officer, implementing a zero-trust security framework, and conducting third-party security assessments. The breaches involved the theft of sensitive customer data and led to increased customer port-out complaints.
Based on the meeting notes, it is evident that T-Mobile US has agreed to improve its cybersecurity and pay a significant fine after a series of network intrusions affecting millions of customers between 2021 and 2023.
The telco has reached a legal settlement with the FCC, which entails paying a $15.75 million civil penalty to the US Treasury and investing an equal amount over the next two years in its infosec program. The specific measures T-Mobile will need to undertake include designating a chief information security officer, building a zero-trust security framework, implementing multi-factor authentication, conducting independent third-party assessments, and more.
The FCC settlement follows several incidents of IT security breaches by T-Mobile, resulting in the theft and leakage of tens of millions of customers’ data on dark web marketplaces. Despite suffering at least seven IT security breaches over a five-year period, the settlement officially covers four incidents since 2021.
Notably, the telco maintains that it has not admitted any wrongdoing in settling the case and has already been working on strengthening its cybersecurity. The FCC emphasized the importance of robust cybersecurity defenses, particularly in the mobile networks, underscoring the need for verifiable cybersecurity protections.
In view of these developments, it is clear that T-Mobile will need to make substantial and long-overdue investments to enhance its cybersecurity practices and address the shortcomings that have led to these breaches.