A Federal Communications Commission probe into the hack of
T-Mobile US Inc.
is the agency’s first high-profile cyber inquiry under a Biden administration that has promised to more aggressively police companies’ security standards and privacy safeguards.
The hack, which T-Mobile disclosed on Monday, hit a communications sector in which cyber oversight is spread across federal agencies, including the FCC, which has taken a largely hands-off approach to data security in recent years. But U.S. officials this year have signaled a new willingness to use regulatory power to shore up the cyber defenses of critical infrastructure.
“Telecommunications companies have a duty to protect their customers’ information,” an FCC spokeswoman said on Wednesday, declining to comment further.
A T-Mobile representative didn’t respond to a request for comment on the inquiry.
The FCC’s cybersecurity guidelines are largely voluntary, with agency officials producing recommendations for best practices. The Transportation Security Administration took a similar approach to pipeline cyber standards until the hack of Colonial Pipeline Co. in May. Since then, the agency has rolled out first-of-their-kind regulations, including a requirement that pipeline operators report cyberattacks.
While the T-Mobile hack didn’t disrupt U.S. communications networks, the company said on Wednesday that hackers stole personal data like Social Security and driver’s license numbers on about 48 million people.
The Federal Trade Commission has investigated other personal data breaches, including the 2017
Equifax
hack that concluded with a settlement of at least $575 million. The agency, which in 2019 began studying how telecom carriers collect and store data, declined to comment on T-Mobile.
Most of the records stolen from T-Mobile came from past or prospective customers, the company said. While storing such information isn’t illegal, it could raise additional questions at the FTC and other agencies on the company’s security practices, said
Amy Keller,
leader of the cybersecurity and technology law group at DiCello Levitt Gutzler.
“
Why were they keeping the Social Security numbers and driver’s license numbers for these people?
”
“Why were they keeping the Social Security numbers and driver’s license numbers for these people?” asked Ms. Keller, who has co-led class-action lawsuits against hacked companies like Equifax. “These people didn’t even sign an agreement with T-Mobile.”
The incident at T-Mobile is the latest in a string of breaches at the Bellevue, Wash.-based wireless carrier, the second largest in the U.S.
Telecom firms “have a great set of customer data for their businesses,” said
Susan Welsh de Grimaldo,
an analyst at research firm
Gartner Inc.
“At the same time, it makes them a target.”
The FCC has penalized companies for lax data-security practices in the past, though under different authorities.
TerraCom Inc. and YourTel America Inc., two affiliated budget wireless carriers, in 2015 paid $3.5 million and entered a consent decree after agency officials found that a vendor had stored data on 300,000 customers of the two carriers in readable text files on servers open to the internet. The FCC’s enforcement bureau said at the time that the failure to reasonably secure customer information violated the Communications Act, the 1934 law that established the agency.
Also in 2015,
AT&T Inc.
paid $25 million to settle an investigation into the improper access of 280,000 customers’ personal data, as well as so-called customer proprietary network information, or CPNI, like phone numbers called and the timing of chats. FCC rules say carriers have a duty to protect such data, and companies must obtain annual privacy certifications for it from the FCC.
Former FCC Chairman Tom Wheeler, in a 2015 photo.
Photo:
Lauren Victoria Burke/Associated Press
In the T-Mobile investigation, the agency could be seeking details on whether the stolen data is covered under CPNI rules, said
Michael O’Rielly,
an FCC commissioner from 2013 to 2020.
Republican commissioners like Mr. O’Rielly tend to take a narrower view of the FCC’s cyber authorities. In a 2017 Senate hearing, he described the agency’s jurisdiction over data security as “extremely limited.”
Under the Trump administration, the FCC pushed carriers to avoid equipment from Chinese-owned firm Huawei Technologies Co. for fear of hacks. Yet the agency rolled back some Obama-era practices: in 2017, President Trump signed a law repealing FCC privacy rules for internet service providers.
Tom Wheeler,
chairman of the FCC from 2013 to 2017, said the Biden administration needs to sharpen the agency’s focus on security as 5G networks proliferate and enable much larger transmissions of data.
Still, he said, industry buy-in on improved cyber procedures, coupled with investigations into bad cyber practices, is preferable to imposing top-down regulations. Regulations can’t keep pace with technological innovation and may actually give hackers hints on the strong and weak points in companies’ computer systems, he said.
“Rigid rules are just invitations to the bad guy to work his way around them,” Mr. Wheeler said.
—James Rundle contributed to this article.
Write to David Uberti at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
