When T-Mobile hacked the sensitive personal information of more than 76 million current, former and potential customers in 2021, plaintiffs involved in a class-action lawsuit complained that the company continued to profit from their data while trying to cover up “one of the largest and most subsequent data breaches in history.” United State “.
Now, T-Mobile has pleaded no guilt but has agreed to pay a settlement of $500 million (pending a judge’s approval), of which $350 million will go to the settlement fund and “at least $150 million” will go to bolster the security of its data through 2023.
T-Mobile declined to tell Ars about specific upcoming plans to improve data security, instead linking to a statement outlining actions it took to “double up” security in the past year. This includes setting up a cybersecurity diversion office that reports directly to T-Mobile CEO Mike Seifert; Collaborate with cybersecurity companies to “further transform our cybersecurity program;” Intensify training of employees in cybersecurity; and investing “hundreds of millions of dollars to enhance our existing cybersecurity tools and capabilities.”
All payments to T-Mobile customers will be disbursed from the proposed settlement through an independent third-party settlement administrator. The agreement states that T-Mobile will have 10 days to send funds to the Settlement Administrator to begin the process of notifying each person deemed eligible to submit claims.
At the moment, no one knows exactly how much individual payments will be, as this number will depend on the total number of complaints submitted if a settlement is reached. T-Mobile says everyone whose data has been compromised has already been notified, while lawyers representing people suing T-Mobile said more victims could still be identified. At least one law firm has created an email address to answer questions from anyone interested in losing a proposed settlement. In the proposed settlement agreement, T-Mobile also said that a toll-free number and website will be established to answer all remaining questions.
In its statement, T-Mobile said it was “delighted to have resolved this consumer class action lawsuit.”
For T-Mobile customers who have been hurt by the data breach, the pain is never really expected to end. In their complaint, customers say they will continue to pay for T-Mobile’s poor security options. They see their data compromised forever, and claim they will need to pay for ongoing identity theft protection moving forward, with the “certain, imminent, and persistent threat of fraud and identity theft” always looming on the horizon.
T-Mobile data security slips
Perhaps the most obvious example of T-Mobile not properly releasing information about the hack was the apparent cover-up of compromised accounts where Social Security numbers were leaked. In the complaint, customers shared text message and email notifications sent by T-Mobile that circulated the data leak and did not warn that the customer’s Social Security number was leaked when it was leaked; But when that wasn’t the case, T-Mobile sent out various notices specifically reassuring customers that their Social Security numbers had not been leaked. The discrepancy suggests that T-Mobile intentionally concealed the details of the data breach from those most vulnerable to identity theft.
Perhaps the most egregious of all allegations that T-Mobile did not take basic steps to properly protect data is a complaint that the company did not rely on an industry-standard data protection practice called “rate limitation.”
Pricing is a way of stabilizing servers from being exposed to many requests simultaneously. By limiting the number of requests a server can receive within a given time frame, it helps prevent resource starvation for regular users and prevents hackers from flooding servers with requests. Anyone who has ever been blocked while trying to do too many failed logins in a row has experienced the effectiveness of this defense.