T-Mobile US to cough up $31.5M after that long string of security SNAFUs

At least seven intrusions in five years? Yeah, those promises of improvement more than 'long overdue'

by · The Register

T-Mobile US has agreed to fork out $31.5 million to improve its cybersecurity and pay a fine after a string of network intrusions affected millions of customers between 2021 and 2023.

Specifically, the telco has entered a legal settlement [PDF] with the FCC today that requires the carrier to pay a $15.75 million civil penalty to the US Treasury, and also spend $15.75 million over the next two years on its infosec program, including:

  • Designating a chief information security officer who will report regularly to the board of directors.
  • Building a zero-trust security framework and segmenting its network.
  • Implementing phishing-resistant multi-factor authentication across its networks and systems.
  • Adopting data minimization, inventory, and disposal processes to limit the amount of customer information it collects and retains.
  • Identifying and monitoring critical assets on its network.
  • Conducting independent third-party assessments of its information security practices. 

The settlement was reached after the FCC formally accused T-Mo of breaking its obligations under the Communications Act of 1934, which require carriers to do such outlandish things as protecting customers' information from theft and having in place reasonable cybersecurity defenses.

"Implementing these practices will require significant - and long overdue - investments," the FCC's settlement notes. "To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here." 

By our count, the un-carrier has suffered at least seven IT security breaches over a five-year period, resulting in tens of millions of customers' data being stolen and leaked on dark web marketplaces. That said, the settlement officially covers four SNAFUs since 2021.

When asked about the deal, a T-Mobile US spokesperson told The Register the telco was already trying to shore up its computer security:

We take our responsibility to protect our customers' information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.

As far as we can tell, T-Mo has admitted no wrongdoing in settling this case.

As outlined in the agreement, the first of the privacy breaches occurred in 2021. At that time, a criminal gained access to a T-Mo environment remotely, and ultimately stole a ton of sensitive personal and device information, including PINs, belonging to 76.6 million current, former, and prospective T-Mobile customers.

The FCC goes into some detail about that data theft:

A threat actor was able to gain access to a T-Mobile lab environment via a piece of telecommunications equipment by impersonating a legitimate connection to the piece of equipment.

Prior to achieving this access, the threat actor appears to have engaged in reconnaissance over a period of months. The threat actor was able to exploit this initial access and successfully guess passwords for certain servers, and then moved across network environments. As a result, the threat actor was able to access another lab environment, in which the threat actor engaged in additional network scanning and password-spraying attacks.

This enabled the threat actor to access other environments containing database backup files and other information. Forensic review confirmed the threat actor was able to exfiltrate data from these environments...

A year later, a crook broke into a management platform that T-Mobile US provides to its mobile virtual network operator (MVNO) resellers using a few different tactics, including an illegal SIM swap involving a T-Mo employee and a phishing attack against another employee.

Then in 2023, a miscreant used stolen T-Mob account credentials to access a sales application and view customer data. The un-carrier clocked this privacy breach after an increase in customer port-out complaints. An internal investigation revealed the attacker had stolen credentials belonging to "several dozen" retail employees, and these are believed to have been swiped in a phishing campaign.

And in a separate 2023 incident, T-Mobile US discovered a data security breach involving one of its APIs. "Human error led to a misconfiguration in permissions settings that allowed a threat actor to submit queries and obtain T-Mobile customer account data," the settlement says. Using this API, the data thieves stole a "limited set" of full customer account data along with about 37 million post- and pre-paid customer accounts.

"Today's mobile networks are top targets for cybercriminals," FCC boss Jessica Rosenworcel said in a statement [PDF]. "Consumers' data is too important and much too sensitive to receive anything less than the best cybersecurity protections." 

To this end, the FCC in February issued updated reporting rules that require telcos in America to officially disclose that a criminal has broken into their systems within seven days of discovering the intrusion.

The new FCC rule came just days after Verizon began notifying more than 63,000 people, mostly current employees, that someone had gained illicit access to their personal information. ®

AT&T, Verizon, Sprint, T-Mobile US fined $200M for selling off people's location infoCarriers claim real culprits are getting away with it - the data brokersThomas Claburn, 29 Apr 2024FCC reminds US mobile carriers that customer data needs to be protectedTelcos schooled on how to combat SIM swapping and port-out fraudRichard Speed, 13 Dec 2023FCC gets tough: Telcos must now tell you when your personal info is stolenYep, cell carriers didn't have to do this beforeBrandon Vigliarolo, 12 Feb 2024