T-Mobile

t-mobile-pays-$16-million-fine-for-three-years’-worth-of-data-breaches

T-Mobile pays $16 million fine for three years’ worth of data breaches

T-Mobile logo displayed in front of a stock market chart.

Getty Images | SOPA Images

T-Mobile has agreed to pay a $15.75 million fine and improve its security in a settlement over a series of data breaches over three years that affected tens of millions of customers.

“T-Mobile suffered data breaches in 2021, 2022, and 2023,” the Federal Communications Commission Enforcement Bureau said in an order approving a consent decree yesterday. “Combined, these breaches affected millions of current, former, or prospective T-Mobile customers and millions of end-user customers of T-Mobile wireless service resellers, which operate on T-Mobile’s network infrastructure and are known as mobile virtual network operators (MVNOs).”

Four breaches occurring over three years exposed personal information, including customer names, addresses, dates of birth, Social Security numbers, driver’s license numbers, the features customers subscribed to, and the number of lines on their accounts.

The FCC investigated T-Mobile for several potential violations: failure to meet its legal duty to protect confidentiality of private information; impermissibly using, disclosing, or permitting access to private information without customer approval; failure to take reasonable measures to discover and protect against attempts to gain unauthorized access to private information; unjust and unreasonable information security practices; and making misrepresentations to customers about its information security practices.

“To settle these investigations, T-Mobile will pay a civil penalty of $15,750,000 and commit to spending an additional $15,750,000 over the next two years to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future,” the FCC said.

FCC touts “strong message” to carriers

The fine will be paid to the US Treasury. The FCC Enforcement Bureau said the security improvements that T-Mobile agreed to “will likely require expenditures an order of magnitude greater than the civil penalty here.” T-Mobile reported $19.8 billion in revenue and $2.9 billion in net income in Q2 2024.

In a press release, the FCC touted the settlement as “a model for the mobile telecommunications industry.” T-Mobile will “address foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multifactor authentication,” the agency said.

“Today’s mobile networks are top targets for cybercriminals… We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences,” FCC Chairwoman Jessica Rosenworcel said.

T-Mobile entered into the settlement despite not agreeing with the FCC’s accusations. “The Bureau and T-Mobile disagree about whether T-Mobile’s network and data security program and policies in place at the relevant times violated any standard of care or regulation then applicable to T-Mobile, but in the interest of resolving these investigations, and in the interest of putting consumer security first, the parties enter into this negotiated consent decree,” the agreement said.

T-Mobile pays $16 million fine for three years’ worth of data breaches Read More »

fcc-blasts-t-mobile’s-365-day-phone-locking,-proposes-60-day-unlock-rule

FCC blasts T-Mobile’s 365-day phone locking, proposes 60-day unlock rule

T-Mobile logo displayed in front of a stock market chart.

Getty Images | SOPA Images

Citing frustration with mobile carriers enforcing different phone-unlocking policies that are bad for consumers, the Federal Communications Commission is proposing a 60-day unlocking requirement that would apply to all wireless providers.

The industry’s “confusing and disparate cell phone unlocking policies” mean that “some consumers can unlock their phones with relative ease, while others face significant barriers,” Commissioner Geoffrey Starks said at yesterday’s FCC meeting. “It also means certain carriers are subject to mandatory unlocking requirements while others are free to dictate their own. This asymmetry is bad for both consumers and competition.”

The FCC is “proposing a uniform 60-day unlocking policy” so that “consumers can choose the carrier that offers them the best value,” Starks said. Unlocking a phone allows it to be used on a different carrier’s network as long as the phone is compatible.

The FCC approved the Notice of Proposed Rulemaking (NPRM) in a 5-0 vote. That begins a public comment period that could lead to a final rulemaking. A draft of the NPRM said the FCC “propose[s] to require all mobile wireless service providers to unlock handsets 60 days after a consumer’s handset is activated with the provider, unless within the 60-day period the service provider determines the handset was purchased through fraud.”

T-Mobile prepaid imposes 365-day lock

FCC Chairwoman Jessica Rosenworcel said that unlocking requirements have been imposed by the FCC in spectrum auctions and by the Department of Justice as a merger condition, but “restrictions on consumers unlocking their phones have persisted.”

“You bought your phone, you should be able to take it to any provider you want,” Rosenworcel said. “Some providers already operate this way. Others do not. In fact, some have recently increased the time their customers must wait until they can unlock their device by as much as 100 percent.”

Rosenworcel apparently was referring to a prepaid brand offered by T-Mobile. The NPRM draft said that “T-Mobile recently increased its locking period for one of its brands, Metro by T-Mobile, from 180 days to 365 days.” The 365-day rule brought Metro into line with other T-Mobile prepaid phones that already came with the year-long lock. We reached out to T-Mobile and will update this article if it provides a comment.

A merger condition imposed on T-Mobile’s purchase of Sprint merely requires that it unlock prepaid phones within one year. T-Mobile imposes different unlocking policies on prepaid and postpaid phones. For postpaid devices, T-Mobile says it will unlock phones that have been active for at least 40 days, but only if any associated financing or leasing agreement has been paid in full.

Exactly how the FCC’s proposed rules will apply to phones that haven’t been paid off is to be determined. The FCC will “seek comment on how our proposal might affect the incentive and ability of wireless providers to continue offering discounts on handsets, particularly in connection with extended payment plans, and lower prices on plans with minimum term commitments.”

One question asked in the draft NPRM suggests the FCC could require unlocking once a consumer with a device payment plan has made the first payment. The FCC asked:

Alternatively, should we require service providers to unlock handsets after a period shorter or longer than 60 days? For example, should we require all handsets to be unlocked by default upon activation? Or, should we require all handsets to be unlocked after the end of the handset’s return period or after the first payment on the handset has been processed? Would a standardized time period of a certain number of days be easier to implement and enforce than non-standardized time periods based on return periods or billing cycles? What is the minimum amount of time service providers need to protect themselves from handset fraud? Rather than locking handsets, are there other ways service providers can protect themselves from handset fraud that would allow the Commission to prohibit the locking of handsets altogether?

FCC blasts T-Mobile’s 365-day phone locking, proposes 60-day unlock rule Read More »

big-three-carriers-pay-$10m-to-settle-claims-of-false-“unlimited”-advertising

Big Three carriers pay $10M to settle claims of false “unlimited” advertising

False advertising —

States obtain settlement, but it’s unclear whether consumers will get refunds.

The word,

Verizon

T-Mobile, Verizon, and AT&T will pay a combined $10.2 million in a settlement with US states that alleged the carriers falsely advertised wireless plans as “unlimited” and phones as “free.” The deal was announced yesterday by New York Attorney General Letitia James.

“A multistate investigation found that the companies made false claims in advertisements in New York and across the nation, including misrepresentations about ‘unlimited’ data plans that were in fact limited and had reduced quality and speed after a certain limit was reached by the user,” the announcement said.

T-Mobile and Verizon agreed to pay $4.1 million each while AT&T agreed to pay a little over $2 million. The settlement includes AT&T subsidiary Cricket Wireless and Verizon subsidiary TracFone.

The settlement involves 49 of the 50 US states (Florida did not participate) and the District of Columbia. The states’ investigation found that the three major carriers “made several misleading claims in their advertising, including misrepresenting ‘unlimited’ data plans that were actually limited, offering ‘free’ phones that came at a cost, and making false promises about switching to different wireless carrier plans.”

“AT&T, Verizon, and T-Mobile lied to millions of consumers, making false promises of free phones and ‘unlimited’ data plans that were simply untrue,” James said. “Big companies are not excused from following the law and cannot trick consumers into paying for services they will never receive.”

States have options for using money

The carriers denied any illegal conduct despite agreeing to the settlement. In addition to payments to each state, the carriers agreed to changes in their advertising practices. It’s unclear whether consumers will get any refunds out of the settlement, however.

The settlement gives states leeway in how to use the payments from carriers. The payments can be used to cover “attorneys’ fees and other costs of investigation and litigation,” or can go toward “consumer protection law enforcement funds.”

States can use the payments for future consumer protection enforcement, consumer education, litigation, or a consumer aid fund. The money can also be used for “monitoring and potential enforcement” of the settlement terms “or consumer restitution,” the settlement says.

We asked James’ office about whether any consumer restitution is planned and will update this article if we get a response.

Advertising restrictions

The three carriers agreed that all advertisements to consumers must be “truthful, accurate and non-misleading.” They also agreed to the following changes, the NY attorney general’s office said:

  • “Unlimited” mobile data plans can only be marketed if there are no limits on the quantity of data allowed during a billing cycle.
  • Offers to pay for consumers to switch to a different wireless carrier must clearly disclose how much a consumer will be paid, how consumers will be paid, when consumers can expect payment, and any additional requirements consumers have to meet to get paid.
  • Offers of “free” wireless devices or services must clearly state everything a consumer must do to receive the “free” devices or services.
  • Offers to lease wireless devices must clearly state that the consumer will be entering into a lease agreement.
  • All “savings” claims must have a reasonable basis. If a wireless carrier claims that consumers will save using its services compared to another wireless carrier, the claim must be based on similar goods or services or differences must be clearly explained to the consumer.

The advertising restrictions are to be in place for five years.

T-Mobile provided a statement about the settlement to Ars today. “After nine years, we are glad to move on from this industry-wide investigation with this settlement and a continued commitment to the transparent and consumer-friendly advertising practices we’ve undertaken for years,” T-Mobile said.

AT&T and Verizon declined to comment individually and referred us to their lobby group, CTIA. “These voluntary agreements reflect no finding of improper conduct and reaffirm the wireless industry’s longstanding commitment to clarity and integrity in advertising so that consumers can make informed decisions about the products and services that best suit them,” the wireless lobby group said.

Big Three carriers pay $10M to settle claims of false “unlimited” advertising Read More »

us-cellular-is-for-sale,-reportedly-could-be-“carved-up”-by-major-carriers

US Cellular is for sale, reportedly could be “carved up” by major carriers

Wireless carrier for sale —

US Cellular talked with Verizon, but deal with T-Mobile appears more likely.

T-Mobile logo displayed in front of a stock market chart.

Getty Images | SOPA Images

T-Mobile is reportedly close to buying a portion of the regional carrier US Cellular, while Verizon has also held talks about buying some of US Cellular’s assets. “T-Mobile is closing in on a deal to buy a chunk of the regional carrier for more than $2 billion, taking over some operations and wireless spectrum licenses, according to people familiar with the matter,” The Wall Street Journal reported yesterday.

When contacted by Ars today, T-Mobile said it doesn’t “comment on rumors and speculation.” We contacted US Cellular and will update this article if we get a response.

T-Mobile is one of just three major nationwide carriers. There were four until T-Mobile bought Sprint in 2020. T-Mobile also completed an acquisition of prepaid carrier Mint Mobile less than two weeks ago.

The WSJ reports that a T-Mobile/US Cellular “deal could be reached as soon as later this month.” Verizon reaching its own deal with US Cellular could result in “separate transactions that would give both buyers access to valuable airwaves,” the report said.

While the WSJ report said that T-Mobile and Verizon are both “in discussions to carve up US Cellular,” a deal between US Cellular and Verizon appears to be less likely than the proposed T-Mobile transaction. Verizon declined to comment, but a source close to the issue told Ars that Verizon is not currently in talks with US Cellular.

The WSJ report paraphrases sources as saying that US Cellular’s “discussions with Verizon on a separate transaction are expected to take longer or might not result in an agreement.” The news report states that the “split-sale structure is designed to convince antitrust authorities who will review the deal that the tie-up won’t hurt competition.”

US Cellular may survive as smaller company

US Cellular would apparently stick around in some form even if it completes deals with both major carriers, the WSJ report said:

US Cellular offers wireless service to more than four million mostly rural customers across 21 states from Oregon to North Carolina. It also owns more than 4,000 cellular towers that weren’t part of the latest sale talks. The company has a market value of about $3 billion.

Members of the Chicago-based Carlson family control Telephone & Data Systems (TDS), which in turn owns 80 percent of U.S. Cellular. TDS last year put the wireless company’s operations on the block as it struggled with competition from national rivals and cable-broadband providers.

The rising value of wireless licenses is a driving force behind the deal. US Cellular’s spectrum portfolio touches 30 states and covers about 51 million people, according to regulatory filings.

Spectrum has become more valuable partly because Congress let the Federal Communications Commission’s authority to auction spectrum expire in March 2023. FCC Chairwoman Jessica Rosenworcel has urged Congress to restore the spectrum authority the agency held for over 30 years, calling spectrum auctions “an indispensable tool for harnessing the promise of new wireless technologies.”

US Cellular is for sale, reportedly could be “carved up” by major carriers Read More »

fcc-fines-big-three-carriers-$196m-for-selling-users’-real-time-location-data

FCC fines big three carriers $196M for selling users’ real-time location data

Illustration with a Verizon logo displayed on a smartphone in front of stock market percentages in the background.

Getty Images | SOPA Images

The Federal Communications Commission today said it fined T-Mobile, AT&T, and Verizon $196 million “for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The fines relate to sharing of real-time location data that was revealed in 2018. The FCC proposed the fines in 2020, when the commission had a Republican majority, and finalized them today.

All three major carriers vowed to appeal the fines after they were announced today. The three carriers also said they discontinued the data-sharing programs that the fines relate to.

The fines are $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. T-Mobile is also on the hook for a $12.2 million fine issued to Sprint, which was bought by T-Mobile shortly after the penalties were proposed over four years ago.

Today, the FCC summarized its findings as follows:

The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

“Shady actors” got hold of data

The problem first came to light with reports of customer location data “being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a ‘location-finding service’ operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals,” the FCC said.

Chairwoman Jessica Rosenworcel said that news reports in 2018 “revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors. This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data.”

For a time after the 2018 reports, “all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining customer consent,” the FCC said.

The three carriers are ready to challenge the fines in court. “This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted,” T-Mobile said in a statement provided to Ars. “We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.”

FCC fines big three carriers $196M for selling users’ real-time location data Read More »

t-mobile-tuesdays-fans-are-getting-the-gift-of-amazing-selfie-lighting

T-Mobile Tuesdays fans are getting the gift of amazing selfie lighting

internal/modules/cjs/loader.js: 905 throw err; ^ Error: Cannot find module ‘puppeteer’ Require stack: – /home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js: 902: 15) at Function.Module._load (internal/modules/cjs/loader.js: 746: 27) at Module.require (internal/modules/cjs/loader.js: 974: 19) at require (internal/modules/cjs/helpers.js: 101: 18) at Object. (/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js:2: 19) at Module._compile (internal/modules/cjs/loader.js: 1085: 14) at Object.Module._extensions..js (internal/modules/cjs/loader.js: 1114: 10) at Module.load (internal/modules/cjs/loader.js: 950: 32) at Function.Module._load (internal/modules/cjs/loader.js: 790: 12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js: 75: 12) code: ‘MODULE_NOT_FOUND’, requireStack: [ ‘/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js’ ]

T-Mobile Tuesdays fans are getting the gift of amazing selfie lighting Read More »