T-Mobile has agreed to pay $350 million to settle a class-action lawsuit focused on a 2021 data breach at the carrier that exposed information on more than 76 million people.
T-Mobile announced the news in an SEC filing and in court documents, making it the second largest data breach settlement behind Equifax’s agreement to pay $650 million.
In T-Mobile’s case, the $350 million will go to victims ensnared in the breach and cover legal fees. In addition, T-Mobile plans on spending another $150 million over the next two years to bolster its data security.
Last year’s breach at the mobile carrier was particularly bad since it exposed Social Security numbers, addresses, dates of births, and driver’s license ID information for some former and current T-Mobile subscribers.
The data was exposed in a cyberattack involving a hacker, who stole 106GB of data that also included information on prospective T-Mobile customers. The hacker then sold the information to other cybercriminals on internet forums.
“During the weeks and months following the data breach, plaintiffs allege that they and other class members suffered actual and attempted identity theft and fraud, including unauthorized credit applications filed in their names,” the proposed settlement says. This included hackers using the stolen information to break into victims’ banking and online accounts.
“Similarly, numerous plaintiffs and other class members have been notified by third-party monitoring companies that their PII (personal identifying information) was located on the dark web as a result of the data breach,” the settlement adds. As a result, the data breach sparked dozens of victims to file lawsuits against the carrier, demanding it pay damages.
T-Mobile is now proposing up to $25,000 in reimbursement to any victims who suffered “out-of-pocket losses” resulting from the data breach. This also includes compensating victims for loss of time responding to the breach, if evidence is provided.
“Settlement Class Members can claim $25 per hour, or their current hourly rate if higher and supported by documentation,” the court documents say. However, the settlement will only pay the $25 rate for “up to five hours of time spent responding to the data breach or up to fifteen hours of time spent addressing related out-of-pocket losses.”
Victims who didn’t experience any losses can receive a $25 cash payment or a two-year subscription to an identity monitoring service. Residents living in California can receive a higher cash payment of $100.
T-Mobile expects the US district court to approve the settlement "as early as December," although it’s possible the deal could be delayed if an appeal is filed.
One potential issue is whether the settlement offers enough money to compensate victims. But the court documents note: “After vigorous and hard-fought negotiations occurring over two full days on June 7 and 8, 2022, the parties reached an agreement in principle and executed a binding term sheet.”
The settlement will also exclude any victims who filed their own arbitration demand or petition against T-Mobile regarding the data breach. Once the settlement receives court approval, T-Mobile will then begin the process of notifying victims about filing a claim to receive compensation.