T-Mobile revealed on August 16th, 2021, that it had been the target of a criminal cyberattack by a third party that allowed the attacker to access customer data without authorization. The network operator announced that about 76.6 million US residents’ data had been stolen, including that of some of GEEKSPIN’s staff.
The announcement came after reports began to circulate that Social Security numbers, names, addresses, and driver’s license information for over 100 million T-Mobile customers was available for sale.
T-Mobile would eventually disclaim the reported figures, but the damage was already done. It was the fifth breach the company had suffered in four years. Multiple putative class action lawsuits were filed against T-Mobile after it confirmed the reports.
The result of the discussions with involved parties is a proposed $350 million settlement from T-Mobile, which is coupled with a commitment from T-Mobile to increase its 2022/2023 “Data Security and Related Technology” budget by $150 million. That brings the total cost of the settlement for T-Mobile to $500 million.
To ensure the settlement is not seen as an admission of guilt, the proposed settlement document states that T-Mobile denies all the allegations, it specifically denies that it failed to properly protect personal information per its duties, had inadequate data security, was unjustly enriched by the use of personal data of the impacted individuals, violated state consumer statutes and other laws, and improperly or inadequately notified potentially impacted individuals.
In reaction to the “increasing frequency and severity of security breaches involving customer information”, on January 12, 2022, FCC Chairwoman Jessica Rosenworcel shared a Notice of Proposed Rulemaking (NPRM) with her colleagues which aims to strengthen the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).
According to a press release from the FCC, the Chairwoman is quoted as stating,
“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers… Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after exposure of personal information. I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
The FCC proposal will make the following updates to current FCC rules addressing telecommunications carriers’ breach notification requirements:
- Eliminating the current seven business day mandatory waiting period for notifying customers of a breach.
- Expanding customer protections by requiring notification of inadvertent breaches; and
- Requiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.