T-Mobile reaches historic $350 million settlement in 2021 data breach
T-Mobile on Friday said it agreed to pay $350 million to a group of victims and commit $150 million extra to security upgrades to settle a class-action lawsuit brought in the wake of a 2021 hack of sensitive customer data.
The settlement would be one of the largest data breach penalties levied against a company in the U.S. — only Equifax, which agreed in 2019 to pay at least $575 million to settle allegations tied to a 2017 data breach brought by the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, has faced steeper penalties.
“Like Equifax, they have a settlement that seems both large and small at the same time,” said Melissa Krasnow, a partner at VLP Law Group who specializes in data security and privacy, who emphasized that government investigations would continue even after a class-action settlement is paid out. “It seems huge, but just as with Equifax I wonder if there’s more [to come].”
The breach, which T-Mobile disclosed last August, was originally believed to have affected about 50 million people in the U.S., but that number was later revised to 76.6 million people. Exposed information included customers’ first and last names, Social Security numbers and driver’s license information.
A 21-year-old living in Turkey took credit for the attack, and said he did it to gain attention, The Wall Street Journal reported.
In a statement sent to The Record, a T-Mobile spokesperson said the company has “doubled down” on its cybersecurity program over the last year, creating a Cybersecurity Transformation Office that reports directly to the CEO, conducting about 900,000 cybersecurity training courses for employees and partners, and collaborating with Mandiant, Accenture, and KPMG to hone its cybersecurity strategy.
“As we continue to invest time, energy, and resources in addressing this challenge, we are pleased to have resolved this consumer class action filing,” the company said.
The company admitted no liability or wrongdoing in the proposed settlement, which is awaiting approval from the U.S. Court for the Western District of Missouri.
According to corporate filings, T-Mobile carries cyber insurance but has not disclosed how much the plan would cover for a settlement this size, Krasnow said.