T-Mobile's data security lapse leads to record-breaking fine

The Committee on Foreign Investment in the US (CFIUS) recently fined T-Mobile a whopping $60 million. So far, this has been the committee’s largest penalty ever, and it was levied because the carrier failed to “prevent and report unauthorized access to sensitive data.”

According to Reuters, the penalty was imposed because T-Mobile violated the terms of a mitigation agreement it had entered into with the CFIUS as part of its acquisition of Sprint in 2020. Officials noted that the unauthorized access to sensitive data happened following the acquisition, in particular during 2020 and 2021.

In its statement, T-Mobile seemed to acknowledge the issue but explained that the unauthorized access to data occurred due to technical issues during its post-acquisition integration with Sprint. The carrier revealed that the unauthorized access involved “information shared from a small number of law enforcement information requests,” but noted that the data was always contained within the law enforcement community. Additionally, T-Mobile also emphasized that the issue was reported and addressed quickly.

While this is the CFIUS’ largest penalty to date, the committee likely did so to emphasize its aggressive stance on enforcing compliance going forward. In this case, the CFIUS has jurisdiction over T-Mobile because the carrier is primarily owned by Deutsche Telekom, a German entity. Since the committee was set up to oversee the national security implications of foreign business investments in the US, the CFIUS is within its rights to take action against companies for breaching the terms of their agreements, as it has with T-Mobile.