CFIUS hits T-Mobile with historic $60m fine for data breach

In an unusual enforcement action, the inter-agency committee stated that T-Mobile created a significant national security risk.

T-Mobile has been served with a $60m penalty for failing to take adequate measures to protect against unauthorized access to its data, and failing to promptly report a data breach, the Committee on Foreign Investment in the United States (CFIUS) has reported.

CFIUS rarely names companies involved in its enforcement actions. And the fine is also­­ the largest issued in the committee’s history, by far.

Expensive breach

CFIUS typically reviews the security implications of foreign investments in US companies. The inter-agency committee requires some high-risk transactions to be conducted pursuant to a national security agreement (NSA) with the US government.

As German-controlled T-Mobile was gearing up for a massive merger with US based Sprint in 2018, CFIUS mandated that the company adhere to certain data protection protocols as part of its NSA in an approval process.

“T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access.”

CFIUS

The Wall Street Journal reported that during the $26 billion integration of T-Mobile and Sprint in 2020-21, mishandled data was accidentally sent to an incorrect law enforcement agency. T-Mobile said that the mishap was due to technical issues experienced during the integration.

This action breached certain data protection elements of T-Mobile’s NSA. Furthermore, T-Mobile’s reporting delay prevented CFIUS from adequately investigating the breach and its security ramifications.

While T-Mobile stated that no malicious activity occurred, CFIUS stated the mishandling of the data nevertheless created a significant national security danger.

“T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS, delaying efforts to investigate and mitigate any potential harm. CFIUS concluded that these violations resulted in harm to the national security equities of the United States,” CFIUS said.

CFIUS stated that T-Mobile’s apparent delay in reporting the incidents was a significant factor in the fine’s severity. T-Mobile has experienced significant data issues in the past, including a breach disclosed in 2021 that led to a $350m settlement.

“The $60 million penalty announcement highlights the committee’s commitment to ramping up CFIUS enforcement by holding companies accountable when they fail to comply with their obligations,” an unnamed US official stated to the WSJ.

New course for CFIUS

The fine issued against T-Mobile might signal a new phase in CFIUS’s enforcement capacity, where data management will play a more significant role in the committee’s scrutiny of foreign investments.

The committee has issued six penalties in the last 18 months. Before 2022, CFIUS had only issued two penalties since its creation in 1975.

“In the last few years, CFIUS has redoubled its resources and focus on enforcement and accountability, and that is by design: if CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences,” said Assistant Secretary of the Treasury for Investment Security Paul Rosen.

Part of the committee’s revamp includes a new web page under the banner of the Treasury Department, which will document and describe CFIUS penalties.