Wireless service provider T-Mobile has agreed to move to a “modern zero trust” security architecture, take steps to segment its networks, and implement some basic cyber hygiene practices under terms of a data breach settlement with the Federal Communications Commission (FCC).
The agency’s settlement agreement with the carrier resolves at least three cybersecurity breach investigations opened by the FCC’s Enforcement Bureau against T-Mobile since 2021. One of those breaches disclosed in January 2023 involved the theft of data on 37 million T-Mobile customers including addresses, phone numbers, and dates of birth.
Under terms of the settlement, T-Mobile will pay a $15.7 million fine to the U.S. Treasury and will also set aside another $15.7 million to help fund the cybersecurity agreements that the carrier has agreed to make.
On the security improvement front, the FCC said T-Mobile has agreed to “move toward a modern zero trust architecture and segment its networks.”
“This is one of the most important changes organizations can make to improve their security posture,” the agency said.
The company also committed “to broad adoption of multi-factor authentication methods within its network,” which the FCC explained is a “critical step in securing critical infrastructure, such as our telecommunications networks.”
“Abuse of authentication methods, for example through the leakage, theft, or deliberate sale of credentials, is the number one way that breaches and ransomware attacks begin,” the FCC said, adding, “Consistent application of best practice identity and access methods will do more to improve a cybersecurity posture than almost any other single change.”
Finally, the company agreed that its chief information security officer will provide the T-Mobile board of directors with regular reports on the company’s cybersecurity posture and related business risks.
“This is a foundational requirement for all well-governed companies,” the FCC said. “Corporate boards need both visibility and cybersecurity domain experience in order to effectively govern. This commitment ensures that the board’s visibility into cybersecurity is a key priority going forward.”
“Today’s mobile networks are top targets for cybercriminals,” commented FCC Chairwoman Jessica Rosenworcel.
“Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections,” she said. “We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”
Terms of the T-Mobile settlement mark “a significant step forward in protecting the networks that house the sensitive data of millions of customers nationwide,” said FCC Enforcement Bureau chief Loyaan Egal.
“With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data,” Egal said.
