T-Mobile and AT&T Data Breach Settlements at the FCC
On September 30th, T-Mobile and the FCC reached a settlement that includes over $30 million in penalties and mandatory cybersecurity spending resulting from significant data breaches in 2021, 2022, and 2023.
In this 8-minute podcast, Steve Rosen joins Tony Mangino to discuss the recent T-Mobile Consent Decree and a similar settlement with AT&T related to a data breach in 2023.
If you would like to learn more about our experience in this space, please visit our Mobile Services and Information Technology Advisory Services webpages.
Follow us on LinkedIn: TC2 & LB3
T-Mobile and AT&T Data Breach Settlements at the FCC
In recent years, the telecommunications industry has faced significant challenges related to data breaches, impacting millions of customers and raising serious concerns about data security and privacy. Two major players in the industry, T-Mobile and AT&T, have been at the center of these incidents, each experiencing multiple breaches that exposed sensitive customer information.
T-Mobile’s Data Breaches
T-Mobile has suffered a series of data breaches in 2021, 2022, and 2023, affecting millions of its customers as well as those of its mobile virtual network operators (MVNOs). The breaches exposed personal information such as names, addresses, dates of birth, Social Security numbers, and driver’s license numbers, as well as Customer Proprietary Network Information (CPNI), including details about subscribed features and account lines.
In the 2021 breach, a hacker gained access to a T-Mobile lab environment by impersonating a legitimate connection to telecommunications equipment, ultimately accessing database backup files and other sensitive information. The 2022 breach involved unauthorized access to a management platform used by MVNO resellers, facilitated by tactics such as SIM swapping and phishing attacks. In 2023, two incidents occurred: one involving stolen account credentials used to access a frontline sales application, and another due to a misconfiguration in API permissions.
AT&T’s Data Breach
AT&T also faced a significant data breach in 2023, where cyber-criminals accessed a vendor’s cloud environment and exfiltrated customer information that AT&T had shared with the vendor. This breach exposed records of calls and texts, including details about who users contacted, when, and for how long. The vendor had failed to delete or return the customer information as required by contracts with AT&T, leading to the exposure.
Regulatory Fallout and Measures Taken
Both companies faced substantial regulatory actions following these breaches. AT&T entered into a consent decree with the FCC, agreeing to pay a $13 million civil fine and to enhance its privacy and data security practices. These enhancements include protecting CPNI, limiting vendor access to sensitive information, implementing an Information Security Program, and conducting annual compliance audits.
Similarly, T-Mobile reached a settlement with the FCC, agreeing to implement a comprehensive security program and pay a civil penalty of $15,750,000, with an additional $15,750,000 in cybersecurity spending over the next two years8. The measures T-Mobile agreed to include designating a Chief Information Security Officer (CISO), adopting a zero trust security framework, implementing phishing-resistant multifactor authentication, and conducting independent third-party assessments of its information security practices.
Conclusion
The data breaches experienced by T-Mobile and AT&T highlight the critical importance of robust data security measures in the telecommunications industry. These incidents serve as a wake-up call for companies to reassess their security protocols, vendor management practices, and overall approach to protecting customer information. As these companies implement the agreed-upon measures, it is hoped that such breaches will become less frequent, ensuring better protection for customer data in the future.
