Regulators’ “strong message” over multiple T-Mobile breaches: 14 cents per exposed user


T-Mobile has agreed to pay a fine of over $15 million for a series of data breaches spanning several years. Tens of millions were exposed, pushing down the fine’s value per person to less than a dime and a nickel.

T-Mobile, one of the largest US mobile carriers, agreed to pay $15.75 million to the US Treasury after multiple data breaches between 2021 and 2023 rocked the company and its customers. The Deutsche Telekom-owned brand also agreed to spend a further $15.75 million strengthening its cybersecurity posture to protect against future attacks.

The settlement covers four different incidents, two of which exposed tens of millions of the carriers’ customers. The August 2021 attack exposed 76.6 million T-Mobile customers, while the January 2023 attack revealed details of 37 million individuals.

ADVERTISEMENT

The settlement also covers the 2022 attack, during which attackers accessed T-Mobile’s management platform, which the company provides to its mobile virtual network operator (MVNO), and the 2023 incident, during which attackers stole T-Mobile account credentials to view certain customer details.

While each attack happened under different circumstances, with malicious actors obtaining different sets of information, T-Mobile customers had their names, home addresses, dates of birth, driver’s license, and Social Security numbers exposed.

While some customers may have had their data exposed multiple times, by adding up the total number of victims we get around 113.6 million. That would mean that the FTC’s fine cost the carrier $0.14 per exposed user. Even if we worked under the assumption that no new customers were exposed past the August 2021 attacks, we’d see that the T-Mobile fine prices each exposed user at $0.20.

“Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences,” FCC Chairwoman Jessica Rosenworcel said.

T-Mobile has also agreed to beef up its cybersecurity posture by investing another $15.75 million “for data security and related technology and operations.” The settlement outlines that the company will spread the money over a period of two years. The FTC’s Enforcement Bureau reserves the right to request documentation on how the money was spent.

The settlement will allow T-Mobile to take a breath, as the US’ third-largest carrier will no longer have to worry that it’s being investigated for “failure to protect the confidentiality of customers’ private information,” “impermissibly using, disclosing, or permitting access to individually identifiable” customer data without their approval, and “failing to take reasonable measures to discover and protect against attempts to gain unauthorized access.”

T-Mobile is a major market player in the US with around 119 million customers. The company reported revenue exceeding $63 billion in 2023, up from $58.4 billion in 2021. Deutsche Telekom, a German telecommunications company, is the company's majority shareholder. Deutsche Telekom is the largest in Europe and the fifth largest in the world.

ADVERTISEMENT