By David Shepardson
WASHINGTON (Reuters) -T-Mobile has reached a $31.5 million settlement to resolve a probe by the Federal Communications Commission into significant data breaches over three years that impacted tens of millions of U.S. consumers, the agency said on Monday.
T-Mobile will pay a $15.75 million civil penalty and has agreed to spend another $15.75 million over two years to strengthen its cybersecurity program. The FCC said T-Mobile suffered data breaches in 2021, 2022 and 2023 that impacted millions of current, former or prospective T-Mobile customers.
The 2021 breach alone impacted 76.6 million U.S. consumers while a 2023 breach impacted 37 million, the FCC said.
The FCC said T-Mobile, the nation's third largest wireless carrier with 119.7 million customers, will address "foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multi-factor authentication."
"Today’s mobile networks are top targets for cybercriminals," said FCC Chairwoman Jessica Rosenworcel. "We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences."
T-Mobile said Monday it takes "our responsibility to protect our customers’ information very seriously" and added it has "made significant investments in strengthening and advancing our cybersecurity program and will continue to do so."
Earlier this month, the FCC said AT&T (NYSE:T) had agreed to pay $13 million to resolve an investigation over a data breach of a cloud vendor in January 2023 that impacted 8.9 million AT&T wireless customers.
AT&T disclosed in July a separate massive hacking incident in April that resulted in the illegal downloading of about 109 million customer accounts that is under FCC investigation.
In July, the FCC said Verizon (NYSE:VZ)'s TracFone Wireless agreed to pay $16 million over data breaches and implement reforms.