In an unprecedented move, the Committee on Foreign Investments in the U.S. (CFIUS) is nailing T-Mobile with a $60 million fine for failures related to 2020 and 2021 data leaks. This is the largest penalty ever enacted by CFIUS, and it’s one of the few CFIUS actions to be publicized by U.S. officials.
CFIUS is an offshoot of the Treasury Department that reviews the national security implications of foreign business in the United States. Under normal circumstances, CFIUS would not be involved in the fallout of an American company’s poor data security. But T-Mobile’s largest shareholder, Deutsche Telekom, is based in Germany—some of T-Mobile’s major business dealings, particularly its acquisition of American companies, are subject to CFIUS’ scrutiny.
T-Mobile’s takeover of Sprint is the origin of today’s $60 million penalty. The Sprint acquisition was approved in 2018 after T-Mobile agreed to follow strict guidelines drafted by CFIUS, the Justice Department, Homeland Security, and the DoD. These guidelines, which pertained to “potential national security, law enforcement, and public safety issues,” required that T-Mobile take steps to mitigate and report any unauthorized data access.
Evidently, the German-controlled telecom did not comply with these requirements. A senior U.S. official told Reuters and Bloomberg that T-Mobile violated its obligations by failing to disclose 2020 and 2021 data leaks in a timely manner. These failures “delayed CFIUS’ efforts to investigate and mitigate any potential harm to U.S. national security.” The fact that these leaks occurred at all may have also contributed to CFIUS’ decision.
But the data leaks in question had little to do with consumer data. As explained by T-Mobile, technical problems during the early days of the Sprint acquisition affected “a small number of law enforcement information requests.” The details are scarce—we don’t know how the information requests were affected—but T-Mobile claims that sensitive data never left the law enforcement “community.”
It’s interesting to see that these data security failures have produced such a strong federal response. Larger, more well-known incidents that exposed the private data of U.S. consumers led to little more than a slap on the wrist.
For reference, T-Mobile has disclosed nine data breaches since 2018. The impact of this penalty on the telecom’s security practices is currently unknown. That said, CFIUS appears to be ramping up its enforcement policy. It, like the Justice Department and the FCC, has taken more action against corporations in the last two years than it did at the turn of the century.
Source: CFIUS via Reuters, Bloomberg
