T-Mobile’s $15.75 Million FCC Penalty for Repeated Data Breaches

📎 Source Note: Transparency is essential in journalism. The facts and figures presented in this article are derived directly from the legal filings in this case. A copy of which can be found at the bottom of this article. We encourage readers to review the primary source document for themselves.

In September 2024, the Federal Communications Commission (FCC) reached a $31.5 million settlement with T-Mobile, resolving investigations into multiple data breaches that occurred between 2021 and 2023.

The settlement included a $15.75 million civil penalty and an equal investment in cybersecurity improvements. This agreement highlights the systemic failures in T-Mobile’s approach to data security and underscores the dangers posed by corporate negligence in safeguarding sensitive consumer information.

This article explores the timeline of these breaches, the FCC’s findings, and the broader implications for corporate accountability in the age of digital vulnerability.

The Timeline of T-Mobile’s Data Breaches

T-Mobile’s history of data breaches is a cautionary tale of repeated failures to protect customer information. The FCC’s investigation identified at least four major incidents between 2021 and 2023, each exposing millions of customers to heightened risks of identity theft and fraud.

August 2021: A Catastrophic Breach

In August 2021, T-Mobile revealed that a hacker had accessed its systems, exposing sensitive data for 7.8 million current customers and 40 million former or prospective customers. Compromised information included Social Security numbers, driver’s license details, names, and addresses. The breach occurred after months of reconnaissance by the attacker, who exploited weaknesses in T-Mobile’s network to move laterally across systems.

This breach led to a $350 million class-action settlement in 2022 but failed to prompt sufficient reforms in T-Mobile’s cybersecurity practices.

Late 2022: Phishing Attack on Employees

In late 2022, attackers exploited a phishing campaign targeting T-Mobile employees. This breach allowed unauthorized access to a management platform used by T-Mobile’s mobile virtual network operators (MVNOs), exposing customer proprietary network information (CPNI).

This incident highlighted not only technical vulnerabilities but also inadequate employee training on cybersecurity best practices.

January 2023: API Misconfiguration

In January 2023, T-Mobile disclosed another massive breach affecting 37 million customers due to an Application Programming Interface (API) misconfiguration.

The attacker exploited human error in permission settings, allowing unauthorized queries to extract customer data such as names, emails, and billing addresses.

This breach emphasized the company’s failure to implement basic safeguards like regular audits and automated checks for configuration errors—measures that could have prevented such an exploit.

March 2023: Targeted Customer Accounts

Between February and March 2023, another breach compromised 836 customer accounts, exposing highly sensitive data like Social Security numbers, government IDs, and account PINs.

The attackers gained access by stealing account credentials from retail employees—a clear indication of insufficient controls over internal access permissions.

Systemic Failures in Cybersecurity

The FCC’s investigation into these breaches revealed systemic shortcomings in T-Mobile’s cybersecurity practices:

  • Failure to Protect Customer Proprietary Network Information (CPNI): T-Mobile violated Section 222 of the Communications Act by failing to safeguard CPNI from unauthorized access.
  • Unreasonable Security Practices: The FCC found that T-Mobile had engaged in “unjust and unreasonable” information security practices under Section 201(b) of the Communications Act.
  • Misrepresentation: The company misled customers about the adequacy of its security measures, further eroding trust.

These findings culminated in a consent decree requiring T-Mobile to overhaul its cybersecurity framework.

Settlement Terms: A Step Toward Accountability

Under the terms of the settlement announced on September 30, 2024, T-Mobile agreed to:

Pay a $15.75 Million Civil Penalty: This fine was paid directly to the U.S. Treasury as a consequence of regulatory violations.

Invest $15.75 Million in Cybersecurity: Over two years, this investment will address foundational vulnerabilities through measures such as:

    • Implementing zero-trust architecture.
    • Broadly adopting phishing-resistant multi-factor authentication (MFA).
    • Segmenting networks to limit the “blast radius” of potential breaches.

    Develop a Comprehensive Information Security Program: The program includes:

      • Annual employee training on safeguarding customer data.
      • Regular audits by third-party cybersecurity firms.
      • Enhanced oversight by a Chief Information Security Officer (CISO), who will report directly to the board.

      Strengthen Governance: T-Mobile must provide regular updates on its cybersecurity posture and business risks posed by potential breaches.

        While these measures are enforceable under the consent decree, they represent long-overdue changes that should have been implemented years ago.

        Economic Fallout for Consumers

        The financial impact on consumers affected by these breaches is profound:

        • Victims face heightened risks of identity theft and fraud due to exposed Social Security numbers and other sensitive information.
        • Many must incur out-of-pocket costs for credit monitoring services or legal assistance—expenses that disproportionately burden low-income individuals.
        • Emotional distress from knowing their personal data is vulnerable adds an intangible but significant cost.

        Despite these harms, fines like the $15.75 million penalty often fail to serve as meaningful deterrents for corporations generating billions in annual revenue.

        For context, T-Mobile reported over $80 billion in revenue for fiscal year 2023—making this penalty less than a drop in the bucket compared to its overall earnings.

        Corporate Accountability Under Neoliberal Capitalism

        T-Mobile’s repeated data breaches are emblematic of broader issues within neoliberal capitalism, where corporations prioritize shareholder profits over consumer safety:

        • Profit Over Prevention: Investing in robust cybersecurity measures is often seen as an expense rather than a necessity—until a breach occurs.
        • Minimal Consequences: Regulatory fines are frequently absorbed as “costs of doing business,” failing to incentivize meaningful change.
        • Erosion of Trust: Each new breach undermines public confidence not just in individual companies but in entire industries entrusted with sensitive data.

        These systemic issues call for stronger regulatory frameworks that prioritize consumer protection over corporate profits.

        A Roadmap for Reform

        To prevent future breaches and hold corporations accountable, several steps must be taken:

        1. Stricter Penalties: Regulatory fines should be proportional to annual revenues or profits to ensure they serve as effective deterrents.
        2. Mandatory Cybersecurity Standards: Federal agencies should require companies handling sensitive data to adopt industry best practices like zero-trust architecture and MFA.
        3. Transparency Requirements: Companies must disclose breaches promptly—delays like those seen with T-Mobile’s March 2023 incident are unacceptable.
        4. Empowered Consumer Advocacy: Grassroots movements can amplify pressure on corporations while advocating for stronger legislative protections.
        5. Stakeholder Governance: Shifting from shareholder primacy to stakeholder governance would ensure decisions consider consumer safety alongside profitability.

        A Call for Justice

        T-Mobile’s $15.75 million penalty is a step toward accountability but falls short of addressing the systemic negligence that allowed these breaches to occur. Consumers deserve better—not just from T-Mobile but from all corporations entrusted with their personal information.

        As advocates for social justice and corporate accountability, we must demand stronger protections against data breaches and hold companies accountable for their failures. True reform requires more than fines; it demands systemic change that prioritizes people over profits.

        The stakes are too high for complacency. It’s time to ensure that corporations take their responsibility seriously—or face consequences that truly reflect the harm they cause.

        sources:
        [1] https://evilcorporations.com/category/data-breach-privacy/
        [2] https://evilcorporations.com/t-mobile-2-major-data-breaches-in-1-year/
        [3] https://content.next.westlaw.com/practical-law/document/I21518f0b7f4811efb5eab7c3554138a0/FCC-Settles-with-T-Mobile-for-15-75-Million-Over-Alleged-Data-Privacy-and-Cybersecurity-Violations?contextData=%28sc.Default%29&transitionType=Default&viewType=FullText
        [4] https://www.securityweek.com/t-mobile-to-pay-millions-to-settle-with-fcc-over-data-breaches/
        [5] https://www.infosecurity-magazine.com/news/t-mobile-penalty-data-breaches/
        [6] https://broadbandbreakfast.com/fcc-fines-t-mobile-more-than-15-million-for-data-breaches-2/
        [7] https://therecord.media/tmobile-agrees-to-pay-settlement
        [8] https://www.channelfutures.com/security/t-mobile-data-breaches-carrier-gets-fcc-fine-order
        [9] https://www.dataprivacyandsecurityinsider.com/2024/10/t-mobiles-31-5-million-data-protection-and-cybersecurity-settlement-with-the-fcc/

        💡 Explore Corporate Misconduct by Category

        Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.

        NOTE:

        This website is facing massive amounts of headwind trying to procure the lawsuits relating to corporate misconduct. We are being pimp-slapped by a quadruple whammy:

        1. The Trump regime's reversal of the laws & regulations meant to protect us is making it so victims are no longer filing lawsuits for shit which was previously illegal.
        2. Donald Trump's defunding of regulatory agencies led to the frequency of enforcement actions severely decreasing. What's more, the quality of the enforcement actions has also plummeted.
        3. The GOP's insistence on cutting the healthcare funding for millions of Americans in order to give their billionaire donors additional tax cuts has recently shut the government down. This government shut down has also impacted the aforementioned defunded agencies capabilities to crack down on evil-doers. Donald Trump has since threatened to make these agency shutdowns permanent on account of them being "democrat agencies".
        4. My access to the LexisNexis legal research platform got revoked. This isn't related to Trump or anything, but it still hurt as I'm being forced to scrounge around public sources to find legal documents now. Sadge.

        All four of these factors are severely limiting my ability to access stories of corporate misconduct.

        Due to this, I have temporarily decreased the amount of articles published everyday from 5 down to 3, and I will also be publishing articles from previous years as I was fortunate enough to download a butt load of EPA documents back in 2022 and 2023 to make YouTube videos with.... This also means that you'll be seeing many more environmental violation stories going forward :3

        Thank you for your attention to this matter,

        Aleeia (owner and publisher of www.evilcorporations.com)

        Also, can we talk about how ICE has a $170 billion annual budget, while the EPA-- which protects the air we breathe and water we drink-- barely clocks $4 billion? Just something to think about....

        Evil Corporations
        Evil Corporations

        Articles written by me are actually written by many different people! We include writers from the legal field, tech, and people who study political theory. Especially people who study political theory.... that makes up about 90% of the guest writers here. If you also want to contribute to this website, then head on over to the Evil Corporations contact page and send over your interest!

        Articles: 727