Update: August 16, 2024 12:15 am EST:

T-Mobile reached out to us to clarify that “this was not a data breach, but a technical issue. There was no threat actor involved.“

We have highlighted the statement in the original article reflecting T-Mobile’s statement, which they pointed out to the CFIUS.

The original article is below.

We already know that data security breaches can be costly for the companies that break them. But we didn’t know they could be as high as $60 million. 

To date, this is the largest penalty imposed by the Committee on Foreign Investment in the US (CFIUS). This was levied since T-Mobile failed to “prevent and report unauthorized access to sensitive data.”

The Reuters report showed that T-Mobile was penalized for this after the CFIUS found them to be in violation of a mitigation agreement as part of its 2020 Sprint acquisition. The breach took effect after the acquisition, in 2020 and 2021. 

Although T-Mobile had already acknowledged the issue, it explained that the unauthorized access happened during technical issues it experienced while integrating with Sprint. The unauthorized access included “information shared from a small number of law enforcement information requests,” but T-Mobile asserted that the data was contained in this community. They also said that they reported and addressed the issue right away.  

The CFIUS has jurisdiction over T-Mobile since the latter is primarily owned by a German entity, Deutsche Telekom. With the committee being set up to oversee the implications of national security on foreign businesses operating in the US, the CFIUS has the authority to take action against T-Mobile.

Aside from the penalty, T-Mobile promised to improve its compliance programs and will work with the committee to meet its obligations. 

Source: AndroidAuthority