The Federal Communications Commission (FCC) on Monday announced a multi-million-dollar settlement with telco T-Mobile over four data breaches that affected millions of people.

According to the FCC, T-Mobile failed to protect customer personal information, provided third-parties with access to customer proprietary network information (CPNI) without customer consent, failed to protect CPNI, did not engage in reasonable information security practices, and failed to inform customers of its information security practices.

As a result of these failures, T-Mobile suffered multiple data breaches in which millions of customers had their personal information – including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and CPNI – compromised, the Commission said.

The first data breach that FCC references occurred in August 2021, when a hacker accessed database backup files and other information from T-Mobile’s network, after performing reconnaissance for months and moving laterally from one compromised system to another.

The incident impacted 76.6 million people, including current, former, and prospective T-Mobile customers, and the carrier provided them with free identity theft protection services, the FCC said.

In 2022, a threat actor used SIM swapping, phishing, and other tactics to hack into a management platform for the carrier’s mobile virtual network operator (MVNO) resellers, which contains MVNO customer information. The Lapsus$ cyber gang was likely responsible for this incident.

In early 2023, using stolen T-Mobile account credentials likely obtained through phishing attacks, a threat actor accessed a frontline sales application containing customer information, such as CPNI. The incident was discovered after customer port-out complaints spiked.

Also in early 2023, the carrier discovered that a permission misconfiguration in one of its APIs allowed a threat actor to obtain the customer account data of roughly 37 million people.

To settle the FCC’s investigation, the telecommunications carrier has agreed to invest $15.75 million over the next two years to improve its cybersecurity practices and address identified weaknesses, and to pay a $15.75 million civil penalty.

“T-Mobile has spent significant additional resources voluntarily enhancing its security program since 2021, engaging internal and outside experts to further enhance controls and processes. T-Mobile has made major financial and operational commitments in the course of its cybersecurity transformation and in response to FCC oversight,” the FCC notes in its Consent Decree (PDF).

As part of the settlement, T-Mobile was also ordered to implement a comprehensive written information security program that includes the adoption of zero-trust architecture and network segmentation, to broadly adopt multi-factor authentication (MFA) within its environment, and to provide regular reports on its cybersecurity practices.

Related: AT&T to Pay $13 Million in Settlement Over 2023 Data Breach

Related: Equifax Releases Security and Privacy Controls Framework

Related: T-Mobile Settles to Pay $350M to Customers in Data Breach

Related: The Big Pentagon Internet Mystery Now Partially Solved