T-Mobile has agreed to pay $31.5 million in the aftermath of a series of data breaches and significantly overhaul its cybersecurity practices to better protect consumer data.

The settlement with the Federal Communications Commission (FCC), which was announced Monday, requires T-Mobile to spend half of the money on bolstering its cybersecurity posture and the other $15.75 million as a civil fine to the government.

T-Mobile is required to add “robust modern architectures,” including zero trust and multi-factor authentication measures, the FCC said. 

The settlement resolves charges involving multiple T-Mobile data breaches caused by allegedly poor cybersecurity practices in 2021, 2022 and 2023. Those incidents impacted millions of T-Mobile customers and involved various exploitations and methods of attack, the FCC said.

The breaches resolved by the settlement affected current, former and prospective T-Mobile customers as well as mobile virtual network operators (MVNOs). 

Information leaked included customers’ names, addresses, dates of birth, Social Security numbers and driver’s license numbers as well as customer subscription information. 

“Today’s mobile networks are top targets for cybercriminals,” FCC Chairwoman Jessica Rosenworcel said in a statement. “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.”

In April, the FCC announced that T-Mobile, Verizon and AT&T had collectively been fined $196 million for allegedly sharing consumers’ location data without consent and neglecting to take “reasonable measures” to protect that information.

An $80 million fine was levied against T-Mobile for those alleged failings.