The Federal Communications Commission (FCC) says that the combination of fine and promised security enhancements represents a model for future handling of such incidents ...

The summer of 2021 saw a huge T-Mobile security breach, exposing the personal data from more than 100 million customers. This included sensitive data needed for identity theft, like home address and date of birth. Another breach followed later the same year, along with others in 2022 and 2023.

The company admitted to a further breach in January of this year, impacting 37 million customers. Then yet another one in May, in which social security numbers were compromised.

The FCC reached what it calls a "groundbreaking" settlement with T-Mobile in respect of three of these cases.

The Federal Communications Commission today announced a groundbreaking data protection and cybersecurity settlement with T-Mobile to resolve the Enforcement Bureau's investigations into significant data breaches that impacted millions of U.S. consumers.

To settle the investigations, T-Mobile has agreed to important forward-looking commitments to address foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multi- factor authentication. The Commission believes that implementation of these commitments, backed by a $15.75 million cybersecurity investment by the company as required by the settlement, will serve as a model for the mobile telecommunications industry.

As part of the settlement, the company will also pay a $15.75 million civil penalty to the U.S. Treasury.

Separately, T-Mobile was recently fined $60M by a less well-known government body for failing to prevent unauthorized access to sensitive data, and for further failing to report the failure.