T-Mobile must complete the move to zero trust and improve authentication, along with implementing better data minimization and improving asset inventory, said a US Federal Communications Commission (FCC) consent decree that the commission published on Monday.
The settlement stems from a series of FCC investigations focused on three major T-Mobile data breaches in 2021, 2022, and 2023, which impacted millions of its customers.
It also includes T-Mobile’s agreement to pay a $15.75 million civil penalty, as well as a promise to invest the identical amount over the next two years “to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future.”
Although some have criticized the amounts as “peanuts” given T-Mobile’s annual revenue last year of $63.2 billion, the FCC said that it expects T-Mobile to make significantly greater cybersecurity investments on top of the $15.75 million.
“Implementing these practices will require significant — and long overdue — investments. To do so at T-Mobile’s scale will likely require expenditures an order of magnitude greater than the civil penalty here,” the consent decree said. One order of magnitude greater than the $15.75 million penalty would be $157.5 million.
“The Commission will hold T-Mobile accountable for making these mandatory changes to comply with statutory and regulatory obligations going forward and to ensure that T-Mobile does not create unnecessary cybersecurity risk for others through its business practices” during activities such as mergers and acquisitions.
The decree’s specific requirements for cybersecurity enhancements were:
- Corporate governance. Requiring that the CISO report regularly to the board.
- “Moving towards a zero trust security framework and segmenting its network to limit the blast radius when a breach occurs.”
- Identity and access management: implementing “phishing-resistant” multifactor authentication (MFA). The FCC didn’t define what it meant by phishing-resistant.
- Data minimization and deletion: “adopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information.”
- “Critical asset inventory: identifying and promptly tracking critical assets on its network to prevent misuse or compromise.”
- Independent third party assessments of its information security practices.
“With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data,” said Loyaan A. Egal, chief of the enforcement bureau and chair of the privacy and data protection task force, in a statement. “We will continue to hold T-Mobile accountable for implementing these commitments.”
T-Mobile declined a CSO request for an interview about the consent decree — as did the FCC — but the company did issue a brief statement:
“We take our responsibility to protect our customers’ information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.”
Penalties should be tougher: analysts
Forrester senior analyst Alla Valente said the cybersecurity requirements from the decree “are all things that T-Mobile should have been doing all along. These are best practices that they should be doing anyway.”
As for the penalty and the required investment amounts, Valente dubbed them both “peanuts for T-Mobile. It’s not something that is going to punch them in the gut.”
But, she argued, much of this is the result of July’s US Supreme Court decision that gutted the power of federal agencies.
“Agency power has been diminished a lot over the last year or so,” she said, and the Supreme Court decision “took a lot of teeth out of the agencies.”
Had the FCC sought materially more money, T-Mobile would have likely appealed, hoping that a friendly Supreme Court would not back up the FCC.
Michael Oberlaender, who has served as a CISO for eight enterprises and a board member of the FIDO Alliance, agreed. He compared the penalties imposed by US agencies with those of their European counterparts.
The penalties “should have been much more stringent. A fine of ten percent of revenue would send shock waves,” Oberlaender said. “As long as the minimal fines are imposed, nothing will ever change. What European regulators are doing is 10, 20 times higher than the US, and that makes a huge difference.”
He also agreed with Valente about the low-level cybersecurity requirements.
“These are all basics that any business should have in their environment. This is not enough. They are checklisting the pure basics,” said Oberlaender, who is the author of Raising the Bar For Cybersecurity.
Oberlaender also said he was concerned about the termination of the consent decree, which is in three years. “I am curious: What happens afterwards? It remains to be seen which of these steps will be entertained, enforced and continuously improved afterwards. History has taught us that when the public scrutiny eye focuses elsewhere, companies tend to loosen the screws until the next one.”