T-Mobile US has reached a $31.5 million settlement to bolster its cybersecurity following a series of network intrusions that impacted millions of customers from 2021 to 2023.

The settlement includes a $15.75 million civil penalty payable to the US Treasury and an equal investment in enhancing its information security program over the next two years.

The FCC accused T-Mobile of violating the Communications Act of 1934, which mandates carriers to protect customer data and implement reasonable cybersecurity measures.

This settlement follows at least seven significant IT security breaches experienced by T-Mobile over five years, resulting in the theft of tens of millions of customer records.

Recent breaches compromised sensitive personal information, including names, addresses, Social Security numbers, and driver's license numbers of millions of customers.

In early 2023, a hacker accessed customer information through a frontline sales application using stolen credentials obtained via phishing attacks.

To prevent future breaches, T-Mobile has committed to a 'zero trust' security framework, requiring authentication for access between different sections of its network.

Key improvements mandated by the settlement include appointing a chief information security officer and implementing phishing-resistant multi-factor authentication.

T-Mobile's chief information security officer is now required to provide regular cybersecurity status reports to both the company's board and the FCC.

The FCC described the settlement as a significant step towards protecting sensitive data for millions of customers and a model for the mobile telecommunications industry.

FCC Chairwoman Jessica Rosenworcel emphasized the need for robust cybersecurity protections in the telecom sector, highlighting mobile networks as prime targets for cybercriminals.

Similar settlements have been reached with other telecom companies, including AT&T and Verizon, in relation to data breaches, reflecting a growing trend of accountability in the industry.