FTC, FCC Under Rising Pressure to Probe T-Mobile Data Breach
The FCC or FTC is likely to investigate, and possibly impose sanctions on, T-Mobile for a data breach, experts said Wednesday. The breach included information from about 7.8 million current T-Mobile postpaid customer accounts and the records of more than 40 million former or prospective customers, T-Mobile said. Data from about 850,000 prepaid customers was also exposed. A Dish Network spokesperson confirmed that Boost customers weren’t affected.
“Telecommunications companies have a duty to protect their customers’ information,” an FCC spokesperson emailed: “The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating.” The FTC declined comment.
The data leak apparently doesn’t include customer financial, credit card, debit or other payment information but did take in customers’ names, dates of birth, social security numbers, driver’s license and other ID information, T-Mobile said. “Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems,” the carrier said: “We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment. We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.”
“T-Mobile has had a repeated series of data breaches that impact millions of their customers,” Greg Guice, Public Knowledge government affairs director, told us. “The carrier needs to actually take steps that will protect consumer data instead of just saying that they’re going to protect consumer data,” he said: “The FCC should definitely act. It has the authority to act and our hope is they will investigate this very quickly and find out what is at the core of this problem with T-Mobile.” Guice said the FCC could act under Communications Act Title III and Title II authority.
Various regulators will likely look into the breach, said Bruce Schneier, security technologist at the Harvard Kennedy School. “Whether they'll actually do something is anyone's guess,” he said.
The FTC faces institutional challenges in policing breaches, Daria Bahrami, program manager-cybersecurity and emerging threats at the R Street Institute, told us. “Right now, the FTC does not have the staffing support or resources to enforce data protection regulations, so that is a critical first step the administration needs to address,” she said. As of 2020, the FTC had only 40-45 staffers in charge of national data privacy and security enforcement, she said: “It's wildly unrealistic for such a small team to help enforce and oversee the country's data privacy needs.”
Free Press urged Congress, the FTC and the states to investigate. “Why did T-Mobile retain the sensitive personal information of 40 million people who aren’t current customers or who were never customers?” asked Research Director Derek Turner: “Why is it legal to retain this information at all? Was T-Mobile too distracted by its merger with Sprint to protect this information from hackers?”
In September 2017, Equifax announced a data breach exposing the personal information of 147 million people. The company reached a global settlement with the FTC, the Consumer Financial Protection Bureau and 50 U.S. states and territories to pay as much as $425 million to help people affected by the breach.
The news for T-Mobile was “not quite half as bad as feared,” New Street’s Jonathan Chaplin told investors. “We don’t know what liability, if any, T-Mobile will face for the leak,” he said. Chaplin estimated that, based on the Equifax fine, T-Mobile could be on the hook for about $215 million in penalties.
New Street’s Blair Levin, a former FCC chief of staff, told us the FCC’s authority isn’t clear. “The FCC can investigate under broad powers to protect the public interest,” he said: “What is less clear is whether there is any violation of an FCC rule.” Others, like the FTC and the state attorneys general, “under their consumer protection jurisdiction, have broader powers to investigate and issue penalties.” Spokespersons for the attorneys general in Washington state, where T-Mobile is based, New York and California didn’t comment.
International Center for Law & Economics President Geoffrey Manne thinks the FTC is more likely to act. The FTC “regularly imposes compliance plans in these situations even following remediation by the company,” he said: “It's not necessarily an immediate process. They have to start an investigation, decide to file suit under FTC Act Section 5, and negotiate with the company. But almost always, if it gets that far, it results in a consent order with the company imposing a whole bunch of security requirements, as well as ongoing reporting” requirements.
The breach is another example of “why the administration needs to prioritize a national data security and data privacy law that empowers the FTC and attorneys general to make sure companies live up to their promise of safeguarding personally identifiable information,” said R Street’s Bahrami. “As a telecommunications company, T-Mobile qualifies as critical infrastructure and if we've learned anything from the SolarWinds ransomware attack, it's that we have to be proactive in anticipating these kinds of cyberattacks and vigilant in responding,” she said.
T-Mobile is offering customers two years of free identity protection with McAfee’s ID Theft Protection Service and recommending that all postpaid customers change their PINs, though it’s not clear PIN data was stolen. The provider said it's putting up a web page “for one stop information and solutions to help customers take steps to further protect themselves.”