United States Fines T-Mobile $60 Million for Failing to Prevent Unauthorized Access to Sensitive Customer Data

[MacRumors]

T-Mobile was fined $60 million by the Committee on Foreign Investment in the US (CFIUS) for negligence surrounding data breaches, reports Reuters. CFIUS penalized T-Mobile for failing to prevent or disclose unauthorized access to sensitive customer data.

When T-Mobile merged with Sprint, it signed a national security agreement with CFIUS, which is what led to the fine earlier this year. T-Mobile is owned by German company Deutsche Telekom, and T-Mobile agreed to protect consumer data as part of the Sprint acquisition. Back in 2021, T-Mobile suffered a major breach that impacted over 100 million of its users, just a year after it acquired Sprint.

CFIUS does not typically name the companies that it fines, but T-Mobile has been called out in an effort to push companies to comply with national security rules associated with acquisitions.

In 2024, following an initial Notice of Penalty issued in 2023, CFIUS resolved an enforcement action against T-Mobile US, Inc. ("T-Mobile"), a telecommunications company, resulting in a $60 million penalty. As publicly disclosed by T-Mobile, the company entered into a National Security Agreement ("NSA") with CFIUS in 2018 in connection with T-Mobile's merger with Sprint and the foreign ownership of the resulting entity. CFIUS determined that between August 2020 and June 2021, in violation of a material provision of the NSA, T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee's efforts to investigate and mitigate any potential harm. CFIUS concluded that these violations resulted in harm to the national security equities of the United States. T-Mobile has worked with CFIUS to enhance its compliance posture and obligations and has committed to working cooperatively with the U.S. Government to ensure compliance with its obligations going forward.

T-Mobile told Reuters that it experienced technical issues when integrating with Sprint, which affected information from "a small number of law enforcement information requests." T-Mobile claims to have swiftly dealt with the issue and reported it "in a timely manner."

CFIUS said that T-Mobile's lack of timely reporting prevented CFIUS from investigating and mitigating potential harm to U.S. national security.

Article Link: United States Fines T-Mobile $60 Million for Failing to Prevent Unauthorized Access to Sensitive Customer Data

 

[Apple_Robert]

I don’t buy T-Mobile’s reply. Glad they were fined.

 

[MakaniKai]

Do I get a dollar?

 

[raythompsontn]

Great, $60 million to CFIUS, $0 million to the people actually harmed. Fines are becoming cash cows for the other entities. That fine will not be paid by T-Mobile, but by the users through increased rates. The CFIUS effectively fined the users.

 

[JordanCautious]

"Oh look! Another slap on the wrist! That will show them!" said no one ever.

 

[MakaniKai]

Great, $60 million to the government, $0 million to the people actually harmed. Fines are becoming cash cows for the government. That fine will not be paid by T-Mobile, but by the users through increased rates. The government effectively fined the users.

Yep and T-Mobile just raised my rates despite the "Price Lock" they guaranteed me when signing up 🤪

 

[dbc34]

Great, $60 million to CFIUS, $0 million to the people actually harmed. Fines are becoming cash cows for the other entities. That fine will not be paid by T-Mobile, but by the users through increased rates. The CFIUS effectively fined the users.

100% facts on both parts.

 

[bladerunner88]

Great, $60 million to CFIUS, $0 million to the people actually harmed. Fines are becoming cash cows for the other entities. That fine will not be paid by T-Mobile, but by the users through increased rates. The CFIUS effectively fined the users.

Not to mention somehow in the Accounting shenanigans the Fine becomes a Tax Write Off as a "Loss" and as OP mentioned nothing ever goes to help make Customers whole again....oh sure maybe some "Free" Data monitoring by yet another 3rd Party entity. Just #$%^*(%^#$# Great!!

 

[gleepskip]

I guess National Public Data will get fined 40 quadrillion dollars then.

 

[arkmannj]

And how will the 60 million be used? will it go directly to helping the people (potentially) affected? Companies need to start being liable and responsible for the stewardship of the data they store. If it leaks they should be providing all potentially affected people with a lifetime of credit monitoring, and pay for services to recover from identity theft for life.

As it is, these companies just consider this kind of action a "cost of doing business" and have little incentive to be worried about serious ramifications.

 

[OrcaAreCute]

How much did the government fine themselves when OPM was hacked in 2013?

 

[coffeemilktea]

Back in 2021, T-Mobile suffered a major breach that impacted over 100 million of its users, just a year after it acquired Sprint.

"Suffered a major breach" As I recall, T-Mobile suffered three data breaches alone in 2021 (in January, August, and December), and a total of nine data breaches overall since the start of 2018.

At this point, their CEO might as well stand out on a street corner and hand out his customers' personal data, considering their cybersecurity measures are about as useful as a screen door on a submarine. Does T-Mobile recruit their security experts from the same place Boeing gets their engineers? 😫

 

[zencowboy]

So my bill is going up

 

[jblank]

How about some recompense for the customers? This almost reminds me of class action lawsuits where the attorneys get millions and the plaintiffs get a ham sandwich.

 

[Robert.Walter]

60 million, hahaha just the cost of doing business.

 

[antiprotest]

How about some recompense for the customers? This almost reminds me of clash action lawsuits where the attorneys get millions and the plaintiffs get a ham sandwich.

You won't even get a slice of bread. And YOU are the one paying the fine for T-mobile failing to protect you. You are the one getting punished. So the hackers win, the CFIUS wins, t-mobile is ok, and you are both hacked and fined. It's so messed up.

 

[jblank]

You won't even get a slice of bread. And YOU are the one paying the fine for T-mobile failing to protect you. You are the one getting punished. It's so messed up.

Exactly. I'm very much a free-market capitalist but corporations have too much power and influence and too little accountability, in the US today. This "penalty" and all other fines/penalties like this, should go DIRECTLY to the customer.

 

[Tofupunch]

Yep and T-Mobile just raised my rates despite the "Price Lock" they guaranteed me when signing up 🤪

The customers are paying for the fine! Highway robbery

 

[maczaddy]

I guess National Public Data will get fined 40 quadrillion dollars then.

lol you beat me to it 🤣

 

[lkrupp]

So my bill is going up

Yep! The customer always pays.

 

[bobdobalina]

60 cents per customer is a slap on the wrist.

 

[exodiusprime]

T-Mobile: "We're sorry your data got stolen. Here's a free year of credit monitoring and $5 off your next screen protector purchase"

How about some recompense for the customers? This almost reminds me of clash action lawsuits where the attorneys get millions and the plaintiffs get a ham sandwich.

 

[russell_314]

My data was part of the breach. The fine does nothing. It’s just a business expense and no changes will happen.

 

[ProbablyDylan]

My information was also part of the breach. The consumer protections in America are a joke.

 

[Student of Life]

They should also directly target fines to the executive officers involved. That way the feel the real burden of their own actions. Fining the company is nice in theory but in reality the fine will be moved to the consumer.