Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Cyber Attack, Vulnerability and Breach.

Total Financial Loss: The total financial loss from these incidents is estimated to be $200 thousand.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with shut down malicious, unauthorized access, and communication strategy with alerted impacted customers via sms notifications, and containment measures with identified and shut down a security event involving account information, and communication strategy with notified affected customers by sending text messages, and and containment measures with identified and mitigated intrusion attempts, and third party assistance with legal representation for industry groups (petitioners), and communication strategy with fcc public statements, communication strategy with court opinion publication, and enhanced monitoring with mandated for telecom companies under new rules, and incident response plan activated with partial (by some affected entities post-notification), and third party assistance with academic researchers (uc san diego, university of maryland), and containment measures with encryption implemented by t-mobile, walmart, kpu post-disclosure, and remediation measures with notification to affected entities, remediation measures with public disclosure to raise awareness, and communication strategy with media interviews (wired), communication strategy with academic paper publication..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through SMS Phishing, Email Vendor and Stolen Employee Credentials.

Average Financial Loss: The average financial loss per incident is $10.00 thousand.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Plan Information, Billing Account Name, Phone And Account Number, , Email Addresses, Billing Account Numbers, Imsi, , Personally Identifiable Information, Account Information, , Customer Names, Billing Zip Codes, Phone Numbers, Email Addresses, Account Numbers, Account Types, , Social Security Numbers, Financial Information, Government Id Numbers, Billing Information, Rate Plans, , Customer data, Addresses, Phone Numbers, Dates Of Birth, , Personal information required to complete an online purchase, Full Name, Contact Information, Account Number And Related Phone Numbers, T-Mobile Account Pin, Social Security Number, Government-Issued Id, Date Of Birth, Balance Owing, Internal Codes Used By T-Mobile To Service Customer Accounts, Number Of Lines, , Personal Information, , Customer Addresses, Drivers' Licenses, Social Security Numbers, , Names, Addresses, Social Security Numbers, Driver’S License Numbers, , Personal Information, , Customer Names, Full Dates Of Birth, Other Account Information, , Names, Drivers’ Licenses, Social Security Numbers, Dates Of Birth, , Customer Proprietary Network Information (Cpni), Personally Identifiable Information (Pii): Ssns, Email Addresses, , Call/Text Metadata (Phone Numbers, Timestamps), Military/Law Enforcement Operational Data (Locations, Mission Details), Utility Infrastructure Communications, Vessel/Asset Maintenance Records and .

Incident Response Plan: The company's incident response plan is described as Partial (by some affected entities post-notification), .

Third-Party Assistance: The company involves third-party assistance in incident response through Legal Representation for Industry Groups (Petitioners), , Academic researchers (UC San Diego, University of Maryland), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Notification to affected entities, Public disclosure to raise awareness, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by shut down malicious, unauthorized access, identified and shut down a security event involving account information, identified and mitigated intrusion attempts, encryption implemented by t-mobile, walmart, kpu post-disclosure and .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through 14 federal criminal charges, Industry Petition to Block 2024 Rules (Rejected 2-1 by Sixth Circuit Court of Appeals), Congressional Review Act Challenge (Dismissed), .

Key Lessons Learned: The key lessons learned from past incidents are Regulatory Agencies Can Expand Authority to Address Evolving Threats (e.g., PII vs. CPNI),Industry Resistance to Compliance Costs May Fail in Court if Public Interest (e.g., Consumer Protection) is Demonstrated,Proactive Cybersecurity Investments Can Mitigate Fines (e.g., T-Mobile's Overhaul Post-Settlement)Widespread assumption of 'security through obscurity' in satellite communications is flawed.,Critical infrastructure and military systems rely on unencrypted satellite links, creating systemic risk.,Low-cost equipment can intercept high-value data, lowering the barrier for adversaries.,Passive interception of broadcast signals may not violate laws, highlighting gaps in regulatory frameworks.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Senators are urging the DOD to renegotiate contracts to strengthen cybersecurity defenses.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: NJCCIC, and Source: T-Mobile, and Source: California Office of the Attorney General, and Source: California Office of the Attorney GeneralDate Accessed: 2015-10-01, and Source: Washington State Office of the Attorney General, and Source: California Office of the Attorney GeneralDate Accessed: 2021-08-25, and Source: U.S. Court of Appeals for the Sixth Circuit OpinionDate Accessed: 2024-05-29, and Source: FCC Press Release on 2024 Data Breach RulesUrl: https://www.fcc.gov/document/fcc-adopts-new-data-breach-reporting-rulesDate Accessed: 2023-12-13, and Source: Reuters: 'US court upholds FCC rules requiring telecom firms to report breaches'Url: https://www.reuters.com/legal/us-court-upholds-fcc-rules-requiring-telecom-firms-report-breaches-2024-05-29/Date Accessed: 2024-05-29, and Source: FCC Enforcement Bureau Settlements (T-Mobile, AT&T, TracFone)Url: https://www.fcc.gov/enforcementDate Accessed: 2024-05-30, and Source: Wired Magazine, and Source: UC San Diego/University of Maryland Study (PDF).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Alerted impacted customers via SMS notifications, Notified affected customers by sending text messages, Fcc Public Statements, Court Opinion Publication, Media Interviews (Wired) and Academic Paper Publication.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were NJCCIC warned customers to be alerted of any suspicious activity., Alerted impacted customers via SMS notifications, Offered a free two-year subscription to my true identity online credit monitoring service for those whose financial information was exposed, Telecom Companies Must Update Incident Response Plans To Include 7-Day Pii Breach Reporting, Legal Teams Should Review Congressional Review Act Implications For Future Challenges, Consumers May Receive More Breach Notifications Due To Expanded Pii Definition, Fcc Encourages Customers To Monitor Credit Reports For Signs Of Identity Theft, and Researchers Notified Affected Companies/Agencies; Some Implemented Encryption.

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Legal Representation For Industry Groups (Petitioners), , Mandated For Telecom Companies Under New Rules, , Academic Researchers (Uc San Diego, University Of Maryland), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Fcc'S Rulemodernization To Include Pii (Beyond Cpni), Mandatory Timely Disclosure To Reduce Consumer Harm, Financial Penalties To Incentivize Compliance (E.G., T-Mobile'S $31.5M Settlement), , T-Mobile, Walmart, And Kpu Implemented Encryption Post-Disclosure., Public Disclosure To Pressure Other Operators Into Securing Transmissions., Academic Outreach To Satellite Industry Stakeholders., .

Last Attacking Group: The attacking group in the last incident were an Hackers, Unauthorized Third-Party, Former owner of a T-Mobile retail store, Cybercriminal, 21-year-old individual, Academic Researchers (UC San Diego and University of Maryland)Potential State-Sponsored Actors (hypothetical)Potential Criminal Groups (hypothetical).

Most Recent Incident Detected: The most recent incident detected was on 2021-12-01.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-05-29.

Highest Financial Loss: The highest financial loss from an incident was More than £200,000.

Most Significant Data Compromised: The most significant data compromised in an incident were personal plan information, billing account name, phone and account number, , email addresses, billing account numbers, IMSI, , Name, Billing Address, Phone Number, Account Number, Rate Plan and Features, , customer names, billing ZIP codes, phone numbers, email addresses, account numbers, account types, , social security numbers, financial information, government ID numbers, billing information, rate plans, , Customer data, addresses, phone numbers, dates of birth, , Customers' personal information, full name, contact information, account number and related phone numbers, T-Mobile account PIN, social security number, government-issued ID, date of birth, balance owing, internal codes used by T-Mobile to service customer accounts, number of lines, , full name, contact information, account number and related phone numbers, T-Mobile account PIN, social security number, government-issued ID, date of birth, balance due, internal T-Mobile service account servicer codes, number of lines, , customer addresses, drivers' licenses, social security numbers, , names, addresses, Social Security numbers, Driver’s License numbers, , Names, Addresses, Social Security Numbers, Dates of Birth, , Customer names, Full dates of birth, Other account information, , names, drivers’ licenses, Social Security numbers, dates of birth, , T-Mobile user call/text metadata (2,700+ users), In-flight Wi-Fi communications, Utility infrastructure comms (oil rigs, electricity providers), US military sea vessel names/locations, Mexican military/law enforcement intelligence (narcotics tracking, asset maintenance, mission details), Military/law enforcement personnel/equipment/facility locations and .

Most Significant System Affected: The most significant system affected in an incident were T-Mobile satellite backhaulIn-flight Wi-Fi systemsUtility infrastructure satellite comms (oil rigs, electricity providers)US military sea vessel communicationsMexican military/law enforcement satellite networks.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was legal representation for industry groups (petitioners), , academic researchers (uc san diego, university of maryland), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Shut down malicious, unauthorized access, Identified and shut down a security event involving account information, Identified and mitigated intrusion attempts, Encryption implemented by T-Mobile, Walmart and KPU post-disclosure.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were rate plans, names, dates of birth, billing ZIP codes, Full dates of birth, billing account numbers, internal codes used by T-Mobile to service customer accounts, billing account name, Other account information, Utility infrastructure comms (oil rigs, electricity providers), Account Number, Customers' personal information, Name, Rate Plan and Features, phone and account number, customer addresses, Dates of Birth, social security numbers, balance due, Billing Address, addresses, Driver’s License numbers, Addresses, Phone Number, phone numbers, internal T-Mobile service account servicer codes, number of lines, email addresses, account number and related phone numbers, Customer names, financial information, Mexican military/law enforcement intelligence (narcotics tracking, asset maintenance, mission details), Customer data, customer names, full name, social security number, balance owing, In-flight Wi-Fi communications, government-issued ID, Social Security Numbers, contact information, T-Mobile account PIN, Names, T-Mobile user call/text metadata (2,700+ users), personal plan information, account numbers, IMSI, account types, government ID numbers, Social Security numbers, Military/law enforcement personnel/equipment/facility locations, drivers’ licenses, billing information, date of birth, US military sea vessel names/locations and drivers' licenses.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 162.0M.

Highest Fine Imposed: The highest fine imposed for a regulatory violation was T-Mobile: $31.5M (2021+ Incidents), AT&T: $13.3M (Cloud Vendor Breach), TracFone: $16M (Customer Data Safeguard Failures), .

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was 14 federal criminal charges, Industry Petition to Block 2024 Rules (Rejected 2-1 by Sixth Circuit Court of Appeals), Congressional Review Act Challenge (Dismissed), .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Passive interception of broadcast signals may not violate laws, highlighting gaps in regulatory frameworks.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enhance Third-Party Vendor Security (e.g., AT&T's Cloud Vendor Breach), Conduct regular audits of satellite security protocols by third-party assessors., Implement signal authentication and access controls for satellite transmissions., Raise awareness among satellite operators about the risks of unencrypted broadcasts., Telecom Companies Should Audit PII Storage/Access to Comply with Expanded Reporting Rules, Mandate encryption for all satellite communications, especially for critical infrastructure and defense., Monitor Dark Web for Exfiltrated PII to Preempt Regulatory Action, Implement Automated Breach Detection to Meet 7-Day Deadline, Develop international standards for secure satellite communications. and Senators are urging the DOD to renegotiate contracts to strengthen cybersecurity defenses.

Most Recent Source: The most recent source of information about an incident are U.S. Court of Appeals for the Sixth Circuit Opinion, Wired Magazine, Washington State Office of the Attorney General, Reuters: 'US court upholds FCC rules requiring telecom firms to report breaches', FCC Enforcement Bureau Settlements (T-Mobile, AT&T, TracFone), T-Mobile, UC San Diego/University of Maryland Study (PDF), NJCCIC, FCC Press Release on 2024 Data Breach Rules and California Office of the Attorney General.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.fcc.gov/document/fcc-adopts-new-data-breach-reporting-rules, https://www.reuters.com/legal/us-court-upholds-fcc-rules-requiring-telecom-firms-report-breaches-2024-05-29/, https://www.fcc.gov/enforcement .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Completed (Court Ruling Issued).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Telecom Companies Must Update Incident Response Plans to Include 7-Day PII Breach Reporting, Legal Teams Should Review Congressional Review Act Implications for Future Challenges, Researchers notified affected companies/agencies; some implemented encryption, .

Most Recent Customer Advisory: The most recent customer advisory issued were an NJCCIC warned customers to be alerted of any suspicious activity., Alerted impacted customers via SMS notifications, Offered a free two-year subscription to my true identity online credit monitoring service for those whose financial information was exposed and Consumers May Receive More Breach Notifications Due to Expanded PII DefinitionFCC Encourages Customers to Monitor Credit Reports for Signs of Identity Theft.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an SMS Phishing, Stolen Employee Credentials and Email Vendor.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Stolen Employee Credentials, Outdated Regulatory Framework (16 Years Without Updates)Industry Lobbying Against Stricter OversightInadequate Third-Party Risk Management (e.g., AT&T's Cloud Vendor Breach), Lack of encryption in satellite backhaul systemsOver-reliance on 'security through obscurity' (assumption that signals wouldn’t be intercepted)Absence of regulatory enforcement for satellite security standardsLow awareness of interception risks among satellite operators.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was FCC's Rulemodernization to Include PII (Beyond CPNI)Mandatory Timely Disclosure to Reduce Consumer HarmFinancial Penalties to Incentivize Compliance (e.g., T-Mobile's $31.5M Settlement), T-Mobile, Walmart, and KPU implemented encryption post-disclosure.Public disclosure to pressure other operators into securing transmissions.Academic outreach to satellite industry stakeholders..