Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Data Leak, Breach and Cyber Attack.

Total Financial Loss: The total financial loss from these incidents is estimated to be $200 thousand.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with shut down malicious, unauthorized access, and communication strategy with alerted impacted customers via sms notifications, and containment measures with identified and shut down a security event involving account information, and communication strategy with notified affected customers by sending text messages, and and containment measures with identified and mitigated intrusion attempts, and third party assistance with legal representation for industry groups (petitioners), and communication strategy with fcc public statements, communication strategy with court opinion publication, and enhanced monitoring with mandated for telecom companies under new rules, and incident response plan activated with partial (by some affected entities post-notification), and third party assistance with academic researchers (uc san diego, university of maryland), and containment measures with encryption implemented by t-mobile, walmart, kpu post-disclosure, and remediation measures with notification to affected entities, remediation measures with public disclosure to raise awareness, and communication strategy with media interviews (wired), communication strategy with academic paper publication..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through SMS Phishing, Email Vendor, Stolen Employee Credentials and Routing Infrastructure.

Average Financial Loss: The average financial loss per incident is $8.33 thousand.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Plan Information, Billing Account Name, Phone And Account Number, , Email Addresses, Billing Account Numbers, Imsi, , Personally Identifiable Information, Account Information, , Customer Names, Billing Zip Codes, Phone Numbers, Email Addresses, Account Numbers, Account Types, , Social Security Numbers, Financial Information, Government Id Numbers, Billing Information, Rate Plans, , Customer data, Addresses, Phone Numbers, Dates Of Birth, , Personal information required to complete an online purchase, Full Name, Contact Information, Account Number And Related Phone Numbers, T-Mobile Account Pin, Social Security Number, Government-Issued Id, Date Of Birth, Balance Owing, Internal Codes Used By T-Mobile To Service Customer Accounts, Number Of Lines, , Personal Information, , Contact Information, Sensitive Account Details, , Customer Addresses, Drivers' Licenses, Social Security Numbers, , Names, Addresses, Social Security Numbers, Driver’S License Numbers, , T-Mobile Account Pins, Driver'S License Numbers, , Personal Information, , Customer Names, Full Dates Of Birth, Other Account Information, , Names, Drivers’ Licenses, Social Security Numbers, Dates Of Birth, , Customer Proprietary Network Information (Cpni), Personally Identifiable Information (Pii): Ssns, Email Addresses, , Sensitive Personal Information, , Call/Text Metadata (Phone Numbers, Timestamps), Military/Law Enforcement Operational Data (Locations, Mission Details), Utility Infrastructure Communications, Vessel/Asset Maintenance Records and .

Incident Response Plan: The company's incident response plan is described as Partial (by some affected entities post-notification), .

Third-Party Assistance: The company involves third-party assistance in incident response through Legal Representation for Industry Groups (Petitioners), , Academic researchers (UC San Diego, University of Maryland), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Notification to affected entities, Public disclosure to raise awareness, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by shut down malicious, unauthorized access, identified and shut down a security event involving account information, identified and mitigated intrusion attempts, encryption implemented by t-mobile, walmart, kpu post-disclosure and .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through 14 federal criminal charges, Industry Petition to Block 2024 Rules (Rejected 2-1 by Sixth Circuit Court of Appeals), Congressional Review Act Challenge (Dismissed), , Opposition to T-Mobile’s motion to dismiss claims by Washington Attorney General, .

Key Lessons Learned: The key lessons learned from past incidents are The critical importance of robust security protocols and rapid response mechanisms in protecting customer data against the evolving threat landscape in the telecommunications industry.Regulatory Agencies Can Expand Authority to Address Evolving Threats (e.g., PII vs. CPNI),Industry Resistance to Compliance Costs May Fail in Court if Public Interest (e.g., Consumer Protection) is Demonstrated,Proactive Cybersecurity Investments Can Mitigate Fines (e.g., T-Mobile's Overhaul Post-Settlement)Widespread assumption of 'security through obscurity' in satellite communications is flawed.,Critical infrastructure and military systems rely on unencrypted satellite links, creating systemic risk.,Low-cost equipment can intercept high-value data, lowering the barrier for adversaries.,Passive interception of broadcast signals may not violate laws, highlighting gaps in regulatory frameworks.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Senators are urging the DOD to renegotiate contracts to strengthen cybersecurity defenses.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: NJCCIC, and Source: T-Mobile, and Source: California Office of the Attorney General, and Source: Maine Office of the Attorney GeneralDate Accessed: 2023-04-28, and Source: California Office of the Attorney GeneralDate Accessed: 2015-10-01, and Source: Washington State Office of the Attorney General, and Source: California Office of the Attorney GeneralDate Accessed: 2021-08-25, and Source: U.S. Court of Appeals for the Sixth Circuit OpinionDate Accessed: 2024-05-29, and Source: FCC Press Release on 2024 Data Breach RulesUrl: https://www.fcc.gov/document/fcc-adopts-new-data-breach-reporting-rulesDate Accessed: 2023-12-13, and Source: Reuters: 'US court upholds FCC rules requiring telecom firms to report breaches'Url: https://www.reuters.com/legal/us-court-upholds-fcc-rules-requiring-telecom-firms-report-breaches-2024-05-29/Date Accessed: 2024-05-29, and Source: FCC Enforcement Bureau Settlements (T-Mobile, AT&T, TracFone)Url: https://www.fcc.gov/enforcementDate Accessed: 2024-05-30, and Source: MLexDate Accessed: 2025-10-10, and Source: Wired Magazine, and Source: UC San Diego/University of Maryland Study (PDF).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Alerted impacted customers via SMS notifications, Notified affected customers by sending text messages, Fcc Public Statements, Court Opinion Publication, Media Interviews (Wired) and Academic Paper Publication.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were NJCCIC warned customers to be alerted of any suspicious activity., Alerted impacted customers via SMS notifications, Offered a free two-year subscription to my true identity online credit monitoring service for those whose financial information was exposed, Telecom Companies Must Update Incident Response Plans To Include 7-Day Pii Breach Reporting, Legal Teams Should Review Congressional Review Act Implications For Future Challenges, Consumers May Receive More Breach Notifications Due To Expanded Pii Definition, Fcc Encourages Customers To Monitor Credit Reports For Signs Of Identity Theft, and Researchers Notified Affected Companies/Agencies; Some Implemented Encryption.

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Legal Representation For Industry Groups (Petitioners), , Mandated For Telecom Companies Under New Rules, , Academic Researchers (Uc San Diego, University Of Maryland), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Fcc'S Rulemodernization To Include Pii (Beyond Cpni), Mandatory Timely Disclosure To Reduce Consumer Harm, Financial Penalties To Incentivize Compliance (E.G., T-Mobile'S $31.5M Settlement), , T-Mobile, Walmart, And Kpu Implemented Encryption Post-Disclosure., Public Disclosure To Pressure Other Operators Into Securing Transmissions., Academic Outreach To Satellite Industry Stakeholders., .

Last Attacking Group: The attacking group in the last incident were an Hackers, Unauthorized Third-Party, Former owner of a T-Mobile retail store, Cybercriminal, 21-year-old individual, Salt Typhoon espionage campaign, Academic Researchers (UC San Diego and University of Maryland)Potential State-Sponsored Actors (hypothetical)Potential Criminal Groups (hypothetical).

Most Recent Incident Detected: The most recent incident detected was on 2021-12-01.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2021.

Highest Financial Loss: The highest financial loss from an incident was More than £200,000.

Most Significant Data Compromised: The most significant data compromised in an incident were personal plan information, billing account name, phone and account number, , email addresses, billing account numbers, IMSI, , Name, Billing Address, Phone Number, Account Number, Rate Plan and Features, , customer names, billing ZIP codes, phone numbers, email addresses, account numbers, account types, , social security numbers, financial information, government ID numbers, billing information, rate plans, , Customer data, addresses, phone numbers, dates of birth, , Customers' personal information, full name, contact information, account number and related phone numbers, T-Mobile account PIN, social security number, government-issued ID, date of birth, balance owing, internal codes used by T-Mobile to service customer accounts, number of lines, , full name, contact information, account number and related phone numbers, T-Mobile account PIN, social security number, government-issued ID, date of birth, balance due, internal T-Mobile service account servicer codes, number of lines, , contact information, sensitive account details, , customer addresses, drivers' licenses, social security numbers, , names, addresses, Social Security numbers, Driver’s License numbers, , T-Mobile account PINs, Driver's license numbers, , Names, Addresses, Social Security Numbers, Dates of Birth, , Customer names, Full dates of birth, Other account information, , names, drivers’ licenses, Social Security numbers, dates of birth, , , T-Mobile user call/text metadata (2,700+ users), In-flight Wi-Fi communications, Utility infrastructure comms (oil rigs, electricity providers), US military sea vessel names/locations, Mexican military/law enforcement intelligence (narcotics tracking, asset maintenance, mission details), Military/law enforcement personnel/equipment/facility locations and .

Most Significant System Affected: The most significant system affected in an incident were T-Mobile satellite backhaulIn-flight Wi-Fi systemsUtility infrastructure satellite comms (oil rigs, electricity providers)US military sea vessel communicationsMexican military/law enforcement satellite networks.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was legal representation for industry groups (petitioners), , academic researchers (uc san diego, university of maryland), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Shut down malicious, unauthorized access, Identified and shut down a security event involving account information, Identified and mitigated intrusion attempts, Encryption implemented by T-Mobile, Walmart and KPU post-disclosure.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were internal T-Mobile service account servicer codes, US military sea vessel names/locations, drivers' licenses, phone and account number, internal codes used by T-Mobile to service customer accounts, number of lines, social security number, account number and related phone numbers, Dates of Birth, drivers’ licenses, Driver's license numbers, Customer names, Utility infrastructure comms (oil rigs, electricity providers), account numbers, Full dates of birth, customer names, addresses, date of birth, Social Security numbers, social security numbers, Phone Number, Mexican military/law enforcement intelligence (narcotics tracking, asset maintenance, mission details), In-flight Wi-Fi communications, Account Number, Driver’s License numbers, customer addresses, Customer data, billing account name, full name, Social Security Numbers, Other account information, Name, dates of birth, balance due, government ID numbers, Customers' personal information, T-Mobile account PINs, IMSI, Rate Plan and Features, account types, financial information, Names, Billing Address, Addresses, T-Mobile user call/text metadata (2,700+ users), balance owing, email addresses, personal plan information, Military/law enforcement personnel/equipment/facility locations, contact information, government-issued ID, sensitive account details, rate plans, billing ZIP codes, phone numbers, billing information, T-Mobile account PIN, names and billing account numbers.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 199.0M.

Highest Fine Imposed: The highest fine imposed for a regulatory violation was T-Mobile: $31.5M (2021+ Incidents), AT&T: $13.3M (Cloud Vendor Breach), TracFone: $16M (Customer Data Safeguard Failures), .

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was 14 federal criminal charges, Industry Petition to Block 2024 Rules (Rejected 2-1 by Sixth Circuit Court of Appeals), Congressional Review Act Challenge (Dismissed), , Opposition to T-Mobile’s motion to dismiss claims by Washington Attorney General, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Passive interception of broadcast signals may not violate laws, highlighting gaps in regulatory frameworks.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Monitor Dark Web for Exfiltrated PII to Preempt Regulatory Action, Senators are urging the DOD to renegotiate contracts to strengthen cybersecurity defenses, Raise awareness among satellite operators about the risks of unencrypted broadcasts., Telecom Companies Should Audit PII Storage/Access to Comply with Expanded Reporting Rules, Mandate encryption for all satellite communications, especially for critical infrastructure and defense., Implement signal authentication and access controls for satellite transmissions., Develop international standards for secure satellite communications., Conduct regular audits of satellite security protocols by third-party assessors., Implement Automated Breach Detection to Meet 7-Day Deadline, Enhance Third-Party Vendor Security (e.g. and AT&T's Cloud Vendor Breach).

Most Recent Source: The most recent source of information about an incident are Reuters: 'US court upholds FCC rules requiring telecom firms to report breaches', Maine Office of the Attorney General, NJCCIC, FCC Press Release on 2024 Data Breach Rules, Wired Magazine, California Office of the Attorney General, T-Mobile, UC San Diego/University of Maryland Study (PDF), MLex, FCC Enforcement Bureau Settlements (T-Mobile, AT&T, TracFone), Washington State Office of the Attorney General and U.S. Court of Appeals for the Sixth Circuit Opinion.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.fcc.gov/document/fcc-adopts-new-data-breach-reporting-rules, https://www.reuters.com/legal/us-court-upholds-fcc-rules-requiring-telecom-firms-report-breaches-2024-05-29/, https://www.fcc.gov/enforcement .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Completed (Court Ruling Issued).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Telecom Companies Must Update Incident Response Plans to Include 7-Day PII Breach Reporting, Legal Teams Should Review Congressional Review Act Implications for Future Challenges, Researchers notified affected companies/agencies; some implemented encryption, .

Most Recent Customer Advisory: The most recent customer advisory issued were an NJCCIC warned customers to be alerted of any suspicious activity., Alerted impacted customers via SMS notifications, Offered a free two-year subscription to my true identity online credit monitoring service for those whose financial information was exposed and Consumers May Receive More Breach Notifications Due to Expanded PII DefinitionFCC Encourages Customers to Monitor Credit Reports for Signs of Identity Theft.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an SMS Phishing, Routing Infrastructure, Stolen Employee Credentials and Email Vendor.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Stolen Employee Credentials, Outdated Regulatory Framework (16 Years Without Updates)Industry Lobbying Against Stricter OversightInadequate Third-Party Risk Management (e.g., AT&T's Cloud Vendor Breach), Alleged failure to implement verifiable data protection commitmentsNon-compliance with data breach notification laws, Lack of encryption in satellite backhaul systemsOver-reliance on 'security through obscurity' (assumption that signals wouldn’t be intercepted)Absence of regulatory enforcement for satellite security standardsLow awareness of interception risks among satellite operators.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was FCC's Rulemodernization to Include PII (Beyond CPNI)Mandatory Timely Disclosure to Reduce Consumer HarmFinancial Penalties to Incentivize Compliance (e.g., T-Mobile's $31.5M Settlement), T-Mobile, Walmart, and KPU implemented encryption post-disclosure.Public disclosure to pressure other operators into securing transmissions.Academic outreach to satellite industry stakeholders..