T-Mobile was fined $60 million for failing to report or prevent data breaches. The hefty fine was imposed by the Committee on Foreign Investment in the US (CFIUS) and is the largest fine of its kind the organization has ever imposed. T-Mobile is owned by Deutsche Telekom, a company based in Germany, which is why CFIUS got involved.
These penalties have their origins in the terms of a 2020 deal in which T-Mobile purchased Sprint. CFIUS placed several conditions on the purchase, including some related to protecting consumer data. The committee found that T-Mobile failed to meet those conditions by failing to secure the data and failing to report unauthorized access to that data. .
The data leaks occurred in 2020 and 2021. T-Mobile has attributed the leaks to technical issues that arose during its post-merger integration with Sprint. The company says the leaks targeted “information shared from a small number of law enforcement requests for information.”
It also says that the data remained within law enforcement even after the breaches. T-Mobile claims that the breaches were reported in a “timely manner” and “quickly remedied.”
CFIUS has become more aggressive with fines and related penalties in recent months. It has issued six large penalties in the past year, but none of them come close to the $60 million just imposed on T-Mobile. That’s roughly three times the number of penalties it has imposed in any other similar period since its inception, from 1975 to 2022.
“The announcement of a $60 million penalty underscores the committee’s commitment to strengthening CFIUS enforcement by holding companies accountable when they fail to meet their obligations,” a U.S. official said. Reuters.
