T-Mobile US has agreed to pay $350m to settle class action claims related to a 2021 cyber-attack which impacted an estimated 80 million US residents.
A filing with the Securities and Exchange Commission (SEC) on Friday explained that the money would be used to “fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement.”
The mobile carrier, one of the country’s largest after its acquisition of Sprint in 2020, said it would also put an additional $150m into data security and “related” technology in 2022 and 2023.
The settlement, which is subject to final court approval, contains no admission of “liability, wrongdoing or responsibility.”
It relates to a major data breach first disclosed last August, which reports have claimed impacted as many as 80 million former, current and prospective customers.
That’s far greater than the 55 million estimated at the end of August 2021. Experts at the time criticized the company for failing to discover the breach itself, only becoming aware of it once the hacker had started selling customer data online.
“T-Mobile has repeatedly been lax in applying minimally acceptable controls to prevent these violations of end user’s privacy,” argued Oliver Tavakoli, CTO at Vectra.
“Note that some of the data leaked was private information collected from individuals whose applications for phones T-Mobile rejected several years prior to the breaches – information which they had no rationale to even keep.”
T-Mobile has suffered repeated breaches and cybersecurity incidents over recent years. In 2020 it alerted some US customers about follow-on fraud after some of its employee email accounts containing their info were hijacked.
In an incident this year, hacking group Lapsus claimed to have stolen source code from the firm.