Breach Notification , Cybercrime , Fraud Management & Cybercrime

$350 Million Settlement of T-Mobile Breach Lawsuits Proposed

On Top of Settling With Victims, Telecom Carrier Would Invest More in Security
$350 Million Settlement of T-Mobile Breach Lawsuits Proposed

A proposed $350 million settlement to resolve a consolidated class action lawsuit against the U.S. telecom carrier T-Mobile, after a 2021 data breach that affected nearly 77 million people, includes breach victims and related legal costs.

See Also: Live Webinar Today | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

Under the settlement, T-Mobile is required to invest an additional $150 million to bolster its data security and related technology in 2022 and 2023, according to the settlement described in an SEC filing.

Terms of Settlement

The proposed agreement, which was filed in federal court in Missouri on Friday, would settle a class action lawsuit that consolidated more than 40 lawsuits filed after the data breach was revealed in August 2021 by the U.S. telecom carrier.

It awaits court approval that is "expected as early as December 2022 but could be delayed by appeals or other proceedings," the filing says.

The telecom carrier says it denies all the allegations made in the complaints filed against it, especially those that describe T-Mobile's failure to protect customer data, and states that the settlement is not an admission of "liability, wrongdoing or responsibility."

"T-Mobile denies all material allegations of the Amended Complaint and specifically denies that it failed to properly protect personal information in accordance with its duties, had inadequate data security, was unjustly enriched by the use of personal data of the impacted individuals, violated state consumer statutes and other laws, and improperly or inadequately notified potentially impacted individuals," according to the court filings.

A Reuters report says some of the class members could receive cash payments of $25, or $100 in California, and some could receive up to $25,000 to cover losses. In addition, they also would receive two years of identity theft protection.

"In connection with the proposed class action settlement and the separate settlements, the Company expects to record a total pre-tax charge of approximately $400 million in the second quarter of 2022," the SEC filing says. "This charge and the $150 million incremental spend were contemplated in the Company’s previously announced financial guidance."

August 2021 Breach

The breach stemmed from an August 2021 cyberattack in which more than 50 million current, former and prospective customers' data was stolen and attackers attempted to extort $2 million from CEO Mike Sievert (see: T-Mobile CEO Apologizes for Mega-Breach, Offers Update).

Overall, more than 100 million T-Mobile data records were found for sale online after the August 2021 breach - with sensitive records including Social Security numbers, driver's license numbers, names, addresses, birthdates and security PINs.

The massive data breach allegedly was carried out by John Binns, a 21-year-old American who discovered an insecure router belonging to T-Mobile. After detecting the router, Binns was able to find a point of entry into a Wisconsin data center, where he began exfiltrating data. Binns told The Wall Street Journal at the time that T-Mobile's security practices were "awful" and bragged about the attack, which he claimed he did more for recognition than monetary gain.

Repeated Attacks

In April, T-Mobile confirmed that the Lapsus$ ransomware group had breached its internal network by compromising employee accounts. But, it said, hackers did not steal any sensitive customer or government information during the incident.

Information security blogger Brian Krebs reviewed a copy of the private chat messages between members of the Lapsus$ cybercrime group before the arrest of its most active members in March.

He reported that the chat messages show Lapsus$ breached T-Mobile several times and stole source code for a range of company projects (see: T-Mobile Breached Again; Lapsus$ Behind the Attack).

The Washington-based telecommunications giant fell victim to another data breach early this year that was linked to a SIM swapping attack that it said affected "a very small number" of its 105 million customers (see: T-Mobile: Some Customers Affected by SIM Swap Data Breach).

In December 2020, T-Mobile notified customers that its cybersecurity team had detected "malicious, unauthorized access" to around 200,000 customers' accounts (see: T-Mobile Alerts Customers to New Breach).

Data from more than 1 million customers was leaked after a malicious hacker gained unauthorized access to prepaid wireless accounts in November 2019. In this instance, T-Mobile advised customers to reset their PINs (see: T-Mobile Says Prepaid Accounts Breached).

The first in this series of breaches affecting T-Mobile customers took place in August 2018, when a threat actor stole customer names, ZIP codes and other information on prepaid and postpaid accounts. Some 2.3 million customers were victimized (see: T-Mobile Database Breach Exposes 2 Million Customers' Data).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.