Close on the heels of its Consent Decrees with TracFone and AT&T, on September 27, 2024, the Enforcement Bureau of the Federal Communications Commission (FCC) announced that it reached a Consent Decree with T-Mobile US, Inc. to resolve an investigation into data breaches that occurred in 2021-2023. These breaches affected millions of T-Mobile customers and customers of T-Mobile mobile virtual network operator (MVNO) resellers. 

T-Mobile will pay a $15,750,000 civil penalty, make $15,750,000 in additional cybersecurity spending over the next two years, and take various measures to strengthen its security program.

The Tracfone Consent Decree emphasized securing web applications and application programming interfaces (APIs), and the AT&T Consent Decree focused on vendor protection of “covered data.” The T-Mobile Consent Decree introduces the idea of a “zero-trust framework,” a security model that recognizes there are attackers both inside and outside a network and requires verification for all users and devices seeking to access a carrier’s assets and information.

The security controls highlighted in the T-Mobile Consent Decree (like those required by the TracFone Consent Decree and the AT&T Consent Decree) may be useful tools for other telecommunications carriers seeking to protect customer data as required by the Communications Act of 1934 and the FCC’s rules.

Controls to Improve Privacy and Data Security Practices

T-Mobile must maintain a comprehensive written information security program, with appropriate administrative, technical, and physical safeguards. These include:

• Chief Information Security Officer: Designation of a senior executive or officer who will be responsible for maintaining and monitoring T-Mobile’s information security program.
• Targeted Security Training to Employees: Those employees with access to covered information must receive annual training. 
• Network Access Controls. T-Mobile must conduct regular vulnerability scans on external-facing ports on its system.
• Account and Password Management. T-Mobile must take several steps to authenticate and limit access to its networks, systems, and assets.
• Logging and Monitoring. T-Mobile must maintain technologies (such as intrusion prevention and detection) designed to detect and restrict unauthorized access or connections to its network.

Several Takeaways for Telecommunications Carriers

• The Importance of Employee Training: In at least one of the reported T-Mobile breaches, the threat actor gained unauthorized access via a phishing attack on a T-Mobile employee. Increasing employee awareness regarding potential security threats and risks is a critical element of an effective security program.
• Focus on Account and Password Management: Given the threat environment (that exists inside and outside networks), carriers must consider and appropriately implement multi-factor authentication for access to systems that store sensitive information. 
• Log and Monitor. Consider the use of tools such as intrusion prevention and detection systems, endpoint protection, threat monitoring or other technologies designed to detect and restrict unauthorized access or connections. Review and update those tools periodically.
• Conduct Risk Assessments. Identify, assess, prioritize, and manage cybersecurity risks. Regularly review and revise your assessment program as technology and the threat environment evolve. 

We will continue to monitor the FCC for similar orders addressing those information security requirements applicable to carriers and providers.  Please contact us if you would like more information or have questions regarding the impact of this Order.