[jonathanmayer]

T-Mobile has had recurring data security deficiencies. I know because I served as CTO of the FCC's Enforcement Bureau, before returning to academia.

In 2017, the FCC determined that T-Mobile had violated federal law in a data breach involving customer credit information [1]. There was reportedly no fine because Congress has imposed a strict one-year statute of limitations on FCC enforcement actions.

In 2020, the FCC charged T-Mobile with again violating federal law in failing to protect customer location information [2]. The FCC proposed a $91.6M fine, widely criticized as insufficient at the time [3-4]. I don't believe the FCC has finalized or collected that penalty.

There have been several other incidents, including in 2018 [5], 2019 [6], early 2020 [7], and late 2020 [8].

I hope there has not been a new data breach. But if there has been, this is the latest in a pattern, and the incentives have to change.

[1] https://www.nexttv.com/news/fcc-admonishes-t-mobile-breach-1...

[2] https://www.fcc.gov/document/fcc-proposes-916m-fine-against-...

[3] https://docs.fcc.gov/public/attachments/FCC-20-27A4.pdf

[4] https://docs.fcc.gov/public/attachments/FCC-20-27A5.pdf

[5] https://www.theverge.com/2018/8/24/17776836/tmobile-hack-dat...

[6] https://www.bleepingcomputer.com/news/security/t-mobile-disc...

[7] https://www.bleepingcomputer.com/news/security/t-mobile-data...

[8] https://www.bleepingcomputer.com/news/security/t-mobile-data...

[studentrob]

Thank you for that context. It seems like breaches are happening every month now. What do you think needs to happen to ensure these gigantic companies secure data? I can imagine (a) new legislation enabling bigger, swifter fines or (b) anti-trust action. Do you think we should prioritize one over the other, do both, or something else?

[silisili]

I left TMo in 2018, when their 'forgot password' link sent me my actual password, via email.

[denysvitali]

Related: https://web.archive.org/web/20180429221742/https://twitter.c...

[asdfaoeu]

A relevant quote from there "What if this doesn't happen because our security is amazingly good?"

[aloisdg]

oh boy...

[junon]

I remember this happening in real time. People were losing their minds over it. I really hope that PR rep got fired, they have no business doing anything related to telecommunications.

[EveYoung]

This reads like a parody account.

[art-vandelay]

Absolutely agree that the incentives have to change!

What does the FCC consider to be "reasonable measures to protect the confidentiality of its customers data"? Is there a document somewhere that outlines the best practices they expect you to follow?

I might be able to better convince my employer to prioritize security work if I had something like that to point to.

[simfree]

So the only fines that T-Mobile has paid are for the rural call call completion issues then?

Crazy that they can get away with regional and nationwide voice outages, SSNs and TINs repeatedly being leaked en masse, and the only fines they get are for rural call completion...

https://www.fcc.gov/document/settlement-t-mobile-rural-call-...