One-half of this settlement quantity or $15.75 million can be poured again into the corporate as a cybersecurity funding. The fund can be used to shake out its safety flaws and enhance resilience to cyber threats. The remaining is a civil penalty.
The breaches impacted hundreds of thousands of shoppers throughout the US, prompting the FCC to open an investigation into whether or not the corporate failed to satisfy its obligation to safeguard buyer knowledge, allowed entry to individually identifiable buyer proprietary community data (CPNI) with out buyer consent, and had lax safety practices.
The breaches
The primary incident occurred on August 21, 2021, when a hacker accessed the corporate’s community and buyer knowledge reminiscent of identify, deal with, date of delivery, social safety quantity, driver’s license quantity, machine identifier, and account PIN.One other menace actor efficiently gained entry to the administration platform for T-Cell‘s cellular digital community operator (MVNO)s that accommodates buyer data in late 2022.
In early 2023, a cybercriminal stole T-Cell account credentials and bought their arms on a frontline gross sales utility for which distant entry had been enabled through the COVID-19 pandemic, permitting them to view sure buyer knowledge.
In January 2023, a misconfigured permissions setting allowed a menace actor to acquire buyer account knowledge.
The civil penalty can be paid to the US Treasury and T-Cell is required to spend $15,750,000 over the following two years to enhance its cybersecurity program and implement a compliance plan to guard customers from related breaches sooner or later.
T-Cell goes to designate a Chief Info Safety Officer who will report back to the Board of Administrators on cybersecurity points. It additionally goals to undertake a zero belief safety body work to scale back the affect radius of breaches and implement a phishing-resistant multifactor authentication (MFA) to bolster the safety of its community.
The corporate has additionally determined to conduct unbiased third-party assessments of its data safety practices.
The FCC calls this settlement “groundbreaking,” and hopes that it’s going to ship a message to different firms that there can be penalties if they do not beef up their techniques. The Fee beforehand settled with Verizon‘s TracFone for 16 million and AT&T for $13 million for resolving breach investigations.
With T-Cell steadily buying extra firms to develop its buyer base, it is now in place of extra knowledge than earlier than, which underscores the significance of a a watertight safety system.
The wide-ranging phrases set forth in at present’s settlement are a big step ahead in defending the networks that home the delicate knowledge of hundreds of thousands of shoppers nationwide. With firms like T-Cell and different telecom service suppliers working in an area the place nationwide safety and client safety pursuits overlap, we’re targeted on making certain essential technical adjustments are made to telecommunications networks to enhance our nationwide cybersecurity posture and assist forestall future compromises of People’ delicate knowledge. We’ll proceed to carry T-Cell accountable for implementing these commitments.
Loyaan A. Egal, Chief Enforcement Bureau and Chair Privateness and Knowledge Safety Process Drive, September 2024
