The US Federal Communications Commission (FCC) would like everyone to believe they impose their rules impartially, but it does seem like ‑Mobile US always gets a stiffer punishment for each breach of personal data than their competitors would. Multiple breaches between 2021 and 2023 led the US operator to agree the following sanctions with their regulator.
- A $15,750,000 civil penalty
- Another $15,750,000 to be spent on strengthening cybersecurity over the next two years
- A compliance plan to protect consumers against future data breaches
- Appointing a Chief Information Security Officer with a regular reporting line to the Board of Directors
- Implementing a “zero trust” security framework and network segmentation
- Deploying phishing-resistant multi-factor authentication
- Adopting data minimization, inventory, and disposal processes
- Identifying and tracking critical network assets
- Conducting independent assessments of information security practices of third parties
This sounds like exactly like the kinds of controls that all telcos should have! Perhaps they should have been written into law, instead of written into a court settlement with a specific telco.



