T-Mobile to pay $500M for one of the largest data breaches in US history

When T-Mobile compromised the sensitive personal information of more than 76 million current, former, and prospective customers in 2021, the company continued to make money off their data while attempting to cover up one of the largest and most consequential data breeches in US history.

Out of the $500 million settlement, $350 million will go to the settlement fund and at least $150 million will go toward enhancing its data security measures over the next five years.

T-Mobile didn't tell Ars about upcoming plans to improve data security, instead linking to a statement that outlines measures it has taken to "double down" on security in the past year. Creating a Cybersecurity Transformation Office that directly reports to T-Mobile CEO Mike Sievert, collaborating with cybersecurity firms, and investing hundreds of millions of dollars to enhance our current cybersecurity tools and capabilities are all part of the plan.

An independent third-party settlement administrator will disburse the customer payouts. T-Mobile will have 10 days to send funds to the settlement administrator to begin notifying people who have been deemed eligible.

The amount of individual payouts will be determined by the number of complaints filed if the settlement is reached. Lawyers for people who are suing T-Mobile say it is possible that more victims will be identified, despite the fact that everyone whose data has been compromised has been notified. An email address was set up by a law firm to field questions from people who missed out on the settlement. All remaining questions would be answered by a toll-free number and website, according to the proposed settlement agreement.

Advertisement

T-Mobile said it was pleased to have resolved the class action.

The pain is not expected to go away for T-Mobile customers. Customers will continue to pay for T-Mobile's weak security choices. They view their data as forever compromised, and they claim they will need to pay for identity theft protection for the rest of their lives.

T-Mobile’s data security missteps

T-Mobile broke the terms of its own privacy policy when it failed to properly disclose information about the data breach or build proper safeguards to protect data in the first place, according to a lawsuit.

T-Mobile's seeming cover-up of hacked accounts where Social Security numbers were leaked is perhaps the most straightforward example of not properly disclosing information about the incident. In the complaint, customers shared text and email notifications that T-Mobile sent that generalized the data leak and did not caution that a customer's Social Security number was leaked when it was. T-Mobile hid the details of the data breach from the most vulnerable people.

The complaint that T-Mobile didn't rely on an industry-standard practice for data protection called "rate limiting" was the most egregious allegation.

It is possible to be hit with too many requests at one time. It helps prevent resource starvation for normal users and blocks hackers from inundating server with requests by limiting the number of requests a server can receive. The effectiveness of this defense has been experienced by anyone who has ever been locked out while trying to log in multiple times.