The settlement comes after an FCC investigation into a major 2021 breach as well as three other incidents at T-Mobile in 2022 and 2023.

T-Mobile will pay $31.5 million in connection with a settlement with the Federal Communications Commission (FCC) over a series of four breaches from 2021 to 2023, the agency announced Monday.

The telecom giant also has committed to making “significant” changes to its processes as part of the settlement agreement, which will resolve the investigation into the breaches, the FCC said in a news release.

[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]

The announcement follows a $13 million data breach settlement between the FCC and AT&T earlier this month.

The newly announced T-Mobile settlement represents another “strong message” to telecoms “that they need to beef up their systems or there will be consequences,” FCC Chairwoman Jessica Rosenworcel said in the release.

The agreement requires T-Mobile to pay $15.75 million to the U.S. Treasury as well as invest $15.75 million into cybersecurity, according to the FCC.

The initial breach, disclosed in August 2021, saw hackers gain access to T-Mobile’s network and customer data. The attack impacted customer data including first and last names, Social Security numbers, and driver’s license numbers, addresses and dates of birth.

Data from 7.8 million current T-Mobile customers, as well as from 40 million former or prospective customers, was accessed by attackers during the 2021 hack, according to the FCC.

The other incidents consisted of a reseller management platform breach in 2022 and two breaches in 2023, which included threat actors accessing a sales application and an API breach.

In a statement provided to CRN Monday, T-Mobile said it takes its “responsibility to protect our customers’ information very seriously” and that the settlement refers to incidents that were “immediately addressed.”

“We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so,” T-Mobile said.

The agreement with the FCC requires T-Mobile to adopt a “modern zero trust architecture and segment its networks” as well as “robust” identity and access management, according to the FCC.

T-Mobile’s CISO must also provide “regular reports to the board concerning T-Mobile’s cybersecurity posture and business risks posed by cybersecurity,” the FCC said.