T-Mobile’s latest hacking incident in the US shows how telcos remain a major target for bad actors and why cybersecurity protections need bolstering

Updated reporting rules to address security breaches in telecoms: On 6 January 2023, the Federal Communications Commission (FCC) launched a proceeding to strengthen requirements on telcos to notify customers and federal law enforcement of breaches of customer proprietary network information (CPNI). The regulator will look to better align its rules with recent developments in federal and state data breach laws covering other sectors. According to FCC Chairwoman Jessica Rosenworcel, while the law requires operators to protect sensitive consumer information, the increase in the “frequency, sophistication and scale of data leaks” makes an update to the framework necessary. The proceeding will therefore take a much-needed look at the FCC’s data breach reporting rules in order to better protect end users, increase security and reduce the impact of future breaches.

Consumers will find out sooner if their data has been leaked: With the adoption of a Notice of Proposed Rulemaking, the FCC’s proceeding will first gather information and seek comment on potential changes to existing regulation. Operators are currently required to alert the FCC and some law enforcement agencies – e.g. the Federal Bureau of Investigation (FBI) – of a data breach within seven business days of discovery. Assuming no objections are raised, customers can then be notified. The FCC has proposed to eliminate the seven-day waiting period so that end users are made aware more quickly that their data has been leaked; and to require telcos to notify consumers of “inadvertent” access, use or disclosures of CPNI, rather than just breaches that occur due to cyberattacks. The regulator will also seek input on whether to require customer breach notices to include specific categories of information, which may be useful to the consumer following a data breach.

Effective data protection is a challenge for the industry: If the FCC proposals are implemented, they will represent the first legislative update in 15 years and bring US rules closer in line with the EU’s General Data Protection Regulation (GDPR), which requires customers to be notified of any breach within 72 hours. However, while more efficient and effective reporting is important, recent events point to the need to bolster protections to keep pace with the evolving nature of data breaches. This month, a “bad actor” manipulated an Application Programming Interface (or API) to obtain information – albeit not sensitive data – on 37m T-Mobile accounts. With the operator disclosing eight data breaches since 2018, this latest incident shows how big a target for hackers telcos remain and why sufficient investment is required to counter growing and innovative cybersecurity threats.