T-Mobile is paying more than $30 million in a government settlement because of massive data breaches.
The cellphone provider will pay a $15.75 million civil penalty and invest a separate $15.75 million in cybersecurity following a series of data breaches in 2021, 2022 and 2023 that exposed the data of tens of millions of people, the Federal Communications Commission said Monday.
A 2021 T-Mobile data breach exposed the records of 76.6 million people and a 2023 breach affected 37 million, including the theft of dates of birth and first and last names, the FCC said.
The changes T-Mobile has to make under the settlement include regular reports to the company's board on cybersecurity, moving to a so-called zero-trust architecture, segmenting its networks and broad adoption of multi-factor authentication.
“Today’s mobile networks are top targets for cybercriminals,” FCC Chairwoman Jessica Rosenworcel said. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections."
"We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences."
T-Mobile told Reuters that it takes "our responsibility to protect our customers’ information very seriously" and has "made significant investments in strengthening and advancing our cybersecurity program and will continue to do so."
There were more than 1 billion data breach victims in the first half of 2024, in large part due to major breaches at Ticketmaster and Advanced Auto Parts.
Even so, the number of data breach victims has been falling in recent years as the number of successful attacks has risen, suggesting that hackers are going after more specific, valuable information.
How to protect yourself from data breaches
Strong passwords: Create long and complex passwords and check if the service you are using requires them.
Two-factor authentication: This will require two or more credentials to log in to an account, such as both your password and a one-time code texted to your phone.
CAPTCHA: If companies require a user to enter a series of characters from an image to use services, this will slow down attackers.
Read news: A simple Google search can show if a company has been breached in recent years.
Security certifications: Look for seals of approval, such as from the International Organization for Standardization, that a website follows best cybersecurity practices.
Encryption: Check if a website uses encryption, such as SSL and the lock for HTTPS.
Passkeys: There is a push to switch to passkeys, which authenticate logins without using a username or password.
What to do after a data breach
Follow the letter: Companies should send out a letter if you are a victim of a data breach. Read it carefully to get more details about what data was exposed and the steps the company recommends you take.
Freeze your credit: Contact each of the three credit bureaus, Experian, Equifax and TransUnion, and get your credit frozen so a criminal can’t open cards or other lines in your name.
Credit monitoring: Often, companies will offer free credit monitoring or other services after a data breach.
Reset passwords: Change your passwords and use different ones for services.
Use a password manager: LastPass and services built into web browsers such as Google Chrome and Microsoft Edge can create and store strong passwords for you.
Opt out of data collection: If you have the right in your state, you can email services you use to request they don’t collect your data for the use by third parties.
Request to have your data deleted: For services you don’t use, ask to have your data deleted. California and other states have written this into law.