The Committee on Foreign Investment in the United States (CFIUS) has slapped T-Mobile with a record $60 million fine. Announced on Wednesday, this is the largest penalty ever handed down by the committee. The fine addresses T-Mobile’s failure to prevent and report unauthorized access to sensitive data, violating an agreement made with CFIUS during its $23 billion acquisition of Sprint Corp in 2020.
Background: The Sprint Merger
The issue traces back to T-Mobile’s 2020 acquisition of Sprint, a major U.S. telecommunications provider. As part of the deal, which was scrutinized for national security concerns due to T-Mobile’s ownership by Germany’s Deutsche Telekom, T-Mobile agreed to a mitigation plan designed to safeguard U.S. data from foreign access.
Nature of the Violations
According to officials, the unauthorized access occurred during the post-merger period in 2020 and 2021. T-Mobile reportedly failed to secure sensitive data and did not report the breaches as required. While CFIUS and T-Mobile have not specified the exact data or the individuals involved, T-Mobile has stressed that these incidents were not caused by a data breach or cyberattack.
A T-Mobile spokesperson clarified, “We faced technical issues during our integration with Sprint that affected a small number of law enforcement requests. This was not a breach or intrusion, and no malicious actors were involved. The data remained within the U.S. law enforcement community and was quickly addressed.”
CFIUS’s Tougher Stance
The unprecedented $60 million fine and the decision to publicly announce it signal a tougher stance by CFIUS on enforcement. Traditionally known for its secrecy, CFIUS has recently opted for greater transparency to deter future violations. A senior U.S. official stated, “This penalty underscores CFIUS’s commitment to rigorous enforcement. Transparency in our actions serves as a warning to other companies about the importance of complying with national security agreements.”
In the past 18 months, CFIUS has issued six penalties, a significant increase from the three penalties imposed from 1975 to 2022. The fines, ranging from $100,000 to $60 million, reflect the committee’s resolve to address violations that could jeopardize national security.
Impact of Delayed Reporting
One major concern was T-Mobile’s delay in reporting the incidents. This hindered CFIUS’s ability to investigate and mitigate any potential threats to national security. Although officials did not detail the specific risks, they emphasized that timely reporting is crucial to protecting sensitive information from foreign threats.
T-Mobile’s Response
T-Mobile has responded to the fine by expressing its commitment to resolving the issues raised by CFIUS and continuing its cooperation with U.S. law enforcement. “We are pleased to have resolved this matter and look forward to ongoing collaboration with the law enforcement community to safeguard our country and customers,” the spokesperson added.
The company reiterated that the data accessed was never exposed beyond U.S. law enforcement and that the issue was promptly addressed once discovered. T-Mobile’s acknowledgment of the fine and its commitment to enhancing data security measures suggest that the company is taking steps to prevent similar issues in the future.
The case highlights the increasing scrutiny of companies with foreign ownership handling sensitive U.S. data, especially in mergers and acquisitions. national security obligations.