The Federal Communications Commission investigation into the
The information of 7.8 million current customers as well as more than 40 million records from past or prospective customers were stolen in a cyberattack, the company has said. T-Mobile Friday said 5.3 million more current accounts were hacked, according to a Securities and Exchange Commission filing. The FCC has said it is investigating the data breach.
“This is going to be a very interesting test to see how the Biden administration is now going to treat these kinds of data breaches and privacy concerns that come under the FCC’s jurisdiction,” Harold Feld, senior vice president at the non-profit advocacy group Public Knowledge, said. “We’ll see how thorough the investigation is and to what extent they decide what penalties and remedial actions are necessary.”
The independent agency Thursday declined a request for further comment on its investigation.
Agency observers expect the FCC to probe the episode under Section 222 of the Communications Act, which requires carriers to take specific steps to ensure that customer proprietary network information is properly protected from unauthorized disclosure.
“But it may or may not be a perfect fit” because the stolen data may not qualify as customer proprietary network information, Bloomberg Intelligence analyst Matthew Schettenhelm said.
The data breach involved first and last names, dates of birth, phone numbers, Social Security numbers, account PINs, driver’s license and ID information, T-Mobile said. The company didn’t immediately respond to a request for comment on the FCC’s investigation.
During the Obama administration, the FCC imposed substantial fines on phone companies for failing to protect customer data. The agency wasn’t as active during the Trump administration.
Questions may arise about whether T-Mobile’s data is a matter of broadband or phone service, analysts said. Some believe the FCC only has authority to deal with telephone service after the agency in 2018 decided to repeal its net neutrality rules. The Federal Trade Commission could step in to review stolen broadband data, according to Schettenhelm and Tony Pepper, the CEO & co-founder of cybersecurity software company Egress.
The commission likely will ask T-Mobile whether it followed FCC rules once it discovered the breach, including notifying authorities; whether it failed to take precautions leading up to the cyberattack, and whether it was meeting the latest industry standards.
Those factors would help the agency determine whether to impose monetary penalties, require T-Mobile to come up with a compliance plan, or both.
This is not the first time T-Mobile has had to grapple with a customer data breach. The FCC in 2017 said T-Mobile failed to protect more than 15 million consumers from a third-party contractor collecting data for credit checks but did not penalize the company.
Given its history, Pepper said the FCC could rule the phone company “has failed in its duty to its customers” and impose fines that can run into the millions.
In 2020 under Republican Chair Ajit Pai, the FCC levied more than $200 million in fines against the then four largest carriers, Verizon Communications Inc., AT&T Inc., T-Mobile and Sprint Corp., for sharing user data.
T-Mobile Wednesday said it would immediately offer its customers two years of free identity protection services, provide “an extra step” to protect mobile accounts that would make it harder for accounts to be stolen and publish a “unique” website for information and solutions to help customers take further steps.
The FCC also could require T-Mobile to offer its customers additional remedies.