T-Mobile USA Inc. has agreed to pay $500 million to settle a class action lawsuit against the company regarding a data breach in August 2021.
Subject to approval, $350 million will go to a settlement fund and “at least $150 million” will go toward enhancing its data security measures, according to Arstechnica. The exact number of people affected by the data breach is now estimated to be as many as 80 million customers, although earlier reports put the figure at 48 million.
The data breach came to light after a hacker advertised T-Mobile customer records for sale on the now defunct Raid Forums hacking forum on August 15. The hacker claimed the stolen data covered more than 100 million T-Mobile customer records and included Mobile Subscriber Identity numbers, International Mobile Equipment Identity numbers, phone numbers, customer names, PINs and date of birth, as well as the Social Security and driver’s license numbers.
T-Mobile subsequently confirmed the hack on August 16, describing the theft as involving “authorized access to some T-Mobile data.” By August 18, T-Mobile said that 48 million customer records has been accessed, including over 40 million former or prospective customers who had applied for credit and 7.8 million current customers of T-Mobile’s posted internet plans.
The proposed settlement provides compensation to approximately 76.6 million U.S. residents identified by T-Mobile whose information was compromised in the data breach.
The exact amount each customer will receive in compensation is not known. An even divide of the available funds would, in theory, see each affected customer receive $4.57 in compensation, barely a blip on most customers’ monthly bills and little recompense for the potential risk of having their personal information stolen.
In a statement about the proposed settlement, T-Mobile didn’t mention the $350 million to be paid in compensation to customers. Instead, the company listed efforts they have taken to double down on its cybersecurity programs.
The August 2021 data breach wasn’t the first time T-Mobile has been hacked and it won’t be the last. Previous data breaches at T-Mobile include two million customers in 2018, a breach of unknown size in March 2020, another data breach in January 2021 and yet again in December.
“T-Mobile has repeatedly been lax in applying minimally acceptable controls to prevent these violations of end user’s privacy and is now paying a fine the size of which should make other organizations take notice,” Oliver Tavakoli, chief technology officer at AI cybersecurity company Vectra AI Inc., told SiliconANGLE. “Note that some of the data leaked was private information collected from individuals whose applications for phones T-Mobile rejected several years prior to the breaches – information which they had no rationale to even keep.”
Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc. noted that the news “is an example of the significant costs that organizations can face over a data breach, and this is the tip of the iceberg.”
“In addition to the settlement to their customers, costs associated with remediating the breach and removing any access the bad actors had to the system, along with potential regulatory fines, can seriously impact many organizations, if not cause them to close their doors altogether,” Kron added.