The Committee on Foreign Investment in the United States (CFIUS), a U.S. government agency responsible for reviewing foreign investments in the country, has levied a $60 million fine on T-Mobile US, Inc. following a series of unauthorized data access incidents.
The infractions occurred between August 2020 and June 2021, violating a key provision of a national security agreement (NSA) that T-Mobile entered into as part of its 2020 merger with Sprint Corporation.
T-Mobile Breach of National Security Agreement
CFIUS approved the merger between T-Mobile and Sprint subject to the agreement, which aimed to mitigate potential national security risks. However, T-Mobile failed to adhere to the agreement by not taking adequate measures to prevent unauthorized access to sensitive data and reporting incidents in a timely manner.
As a result, the agency concluded that the T-Mobile breaches harmed the national security interests of the United States. This is the largest penalty imposed by CFIUS to date, with the treasury.gov website containing the following statement:
CFIUS determined that between August 2020 and June 2021, in violation of a material provision of the NSA, T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm. CFIUS concluded that these violations resulted in harm to the national security equities of the United States. T-Mobile has worked with CFIUS to enhance its compliance posture and obligations and has committed to working cooperatively with the U.S. Government to ensure compliance with its obligations going forward.
CFIUS concluded that these violations resulted in harm to the national security interests of the United States, leading to the unprecedented $60 million penalty.
Increased Transparency and Enforcement Focus
Earlier this week, the U.S. Treasury Department, which chairs CFIUS, unveiled a new CFIUS enforcement website, providing the public and the investing community with greater insight into the committee’s compliance and enforcement efforts.
“In the last few years, CFIUS has redoubled its resources and focus on enforcement and accountability, and that is by design: if CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences,” said Assistant Secretary of the Treasury for Investment Security Paul Rosen. “Today’s penalty updates underscore CFIUS’s commitment to accountability and the protection of national security.”
The website update includes details on all the civil monetary penalties imposed by CFIUS over the past few years, with the T-Mobile penalty being the largest and only incident disclosed directly by name. CFIUS has issued three times more penalties in 2023 and 2024 than it had in its nearly 50-year history, marking its commitment to holding companies accountable.