T-MobileIn a class action suit that claimed it allowed sensitive information to be stolen from millions of current, former and potential customers by hackers last year.
If approved, the deal would be the second largest data breach settlement in US history, after Equifax agreed to pay $700 million in 2019.
The mobile carrier has not admitted any wrongdoing but in a statement shared with CNET, T-Mobile said it was “delighted to have resolved this consumer class action.”
“Customers are first in everything we do, and protecting their information is a top priority,” T-Mobile added. “Like every company, we are not immune to these criminal attacks.”
In addition to paying affected customers, T-Mobile will invest $150 million in improving data security, according to SEC filings.
Here’s what you need to know about a T-Mobile data breach settlement, including who qualifies for damages, how much they can get and when the money might arrive.
For more information, find out if you qualify to settle a $90 class action lawsuit on Facebook.
What happened in the T-Mobile data breach case?
On August 15, 2021, T-Mobile reported that a cyber attack resulted in millions of people stealing personal information. According to court documents, names, addresses, dates of birth, Social Security numbers, driver’s license details and other sensitive information, including unique codes that identified individual phones, were revealed.
The number of people affected is unclear: according to court filings, the data of 76.6 million people was exposed, but T-Mobile claimed only that the names, addresses and personal identification numbers (PINs) of about 850,000 people were “hackered”.
An individual selling information on the dark web for 6 bitcoins (about $277,000 at the time) told Vice that they had data on more than 100 million people, all collected from T-Mobile’s servers.
Jon Baines, a 21-year-old resident of Turkey, eventually took responsibility for the cyberattackthat has hit T-Mobile since 2015.
“I was freaking out that I had gotten to something big,” Bynes told the Wall Street Journal. “Their security is appalling.”
The July 24 settlement, filed in the US District Court for the Western District of Missouri, consolidates at least 44 class actions that alleged T-Mobile was lenient with its cyber security and failed to protect personal information.
How do you know if you are eligible to pay?
T-Mobile has not released the full details of its payment plan. Class members are usually notified — in this case, people who were T-Mobile customers in August 2021 — that they are eligible by mail. (Full disclosure: This reporter was a T-Mobile customer at the time.)
Read more: How to protect your personal data after a security breach
Customers are then given 90 days to file claim forms or request to withdraw from the settlement and reserve the right to pursue their separate legal claims, according to court papers.
It may take several months before individuals find out if they will get money from the settlement, TechCrunch reported.
How much money can you get?
Class members can receive a cash payment of $25, or $100 for Californians.
It could be significantly lower, depending on how many people respond. In addition to paying the claims, the $350 million must go toward settling legal fees and administrative costs. Plaintiffs’ attorneys may charge up to 30% of the settlement, according to court filings.
Separately, some people may receive up to $25,000 to cover losses they incur as a direct result of the breach.
T-Mobile is also offering two free years of McAfee’s ID Theft Protection Service to anyone who thinks they might be a victim.
When may you receive your money?
Even if you qualify, you likely won’t see any money until at least 2023.
T-Mobile has 30 days to provide the court with a list of class members, along with their phone numbers, postal addresses, and email addresses, “to the extent available.”
Once the eligible parties are notified, claims are filed, legal fees are deducted and the remaining funds are divided among the class members who submitted the claims forms. This will likely take months.
Additionally, the $350 million in damages is preliminary. It still requires final approval from a judge, which T-Mobile says will come by December at the earliest.
What is T-Mobile doing to protect against future security breaches?
In its July 22 statement, the company said T-Mobile had “doubled-up its role” in fighting hackers, by strengthening employee training, collaborating with industry experts like Mandiant and Accenture on new protocols, and creating a cybersecurity office that reports directly to the head of company. CEO Mike Seifert.
Security journalist Brian Krebs reported in April 2022 that T-Mobile was a victim of hacking group Lapsus$.
Hackers accessed employee accounts and attempted to find T-Mobile accounts linked to the Department of Defense and the FBI, TechCruch reports. It was thwarted by secondary authentication checks.