U.S. wireless giant T-Mobile gets hacked a lot. In fact, the company has been hacked eight times in the last five years, with several of the intrusions exposing the sensitive personal data of millions of T-Mobile customers. The last hack, revealed in a 2023 SEC filing, exposed the names, addresses, social security numbers, and other sensitive information of over 37 million T-Mobile subscribers.
It took half a decade, but the FCC has finally taken action, announcing last week that it struck a new settlement with T-Mobile related to the breaches. As part of the deal, T-Mobile has agreed to pay $15.75 million to ramp up its security standards and practices (money it should have already spent on the issue), and another $15.75 million civil penalties to the U.S. Treasury.
“Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections,” FCC boss Jessica Rosenworcel said in a prepared statement. “We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.”
One could argue that a $15.75 million fine years after the fact isn’t quite the deterrent Rosenworcel insists, given T-Mobile’s made untold millions (or billions) of dollars over the last decade playing fast and loose with consumer privacy.
As with so many modern companies, T-Mobile over-collects data then doesn’t take the necessary steps to protect said data. It then lobbies state and federal lawmakers to ensure we don’t shore up U.S. privacy protections (as it did when Republicans gutted the FCC’s fairly modest broadband privacy rules, or when it lobbies to kill new federal privacy laws), and the cycle repeats itself in perpetuity.
T-Mobile has a bit of a history of being sloppy with the vast location data it collects on users, then fighting tooth and nail against whatever slapdash accountability U.S. regulators can feebly muster. T-Mobile recently dramatically expanded the company’s collection of user browsing and app usage data via a new program dubbed “app insights.”
In T-Mobile’s case, its federally-backed quest to erode sector competition and merge with Sprint not only resulted in untold layoffs and an immediate end to all wireless data price competition in the U.S., it also distracted the company from doing a better job on consumer privacy and data security.
So yes, it’s nice to see the FCC take belated action, but it shouldn’t be confused with more serious accountability for T-Mobile or its executives. Nor should anybody confuse occasional fines (which may be reduced if they’re paid at all), with having a real federal privacy law, consistent privacy enforcement, or antitrust reform preventing companies from becoming impossibly unaccountable in the first place.