T-Mobile US has agreed to pay $350 million to settle class action lawsuits related to a 2021 cyberattack that affected an estimated 80 million US citizens.
A filing with the Securities and Exchange Commission (SEC) on Friday said the money would be used to “fund the claims filed by the group members, plaintiffs’ attorneys’ attorneys’ fees and the costs of administering the settlement.”
The wireless carrier, one of the largest in the country after acquiring Sprint in 2020, said it will invest another $150 million in data security and “related” technologies in 2022 and 2023.
The settlement, which is subject to final court approval, contains no admission of “liability, wrongdoing or responsibility.”
It relates to a major data breach that first surfaced last August and reportedly affected up to 80 million former, current and potential customers.
That is far more than the 55 million estimated at the end of August 2021. At the time, experts criticized that the company had not discovered the gap itself and only became aware of it when the hacker began selling customer data online.
“T-Mobile has repeatedly been lax in applying minimum acceptable controls to prevent these end-user privacy violations,” argued Oliver Tavakoli, CTO at Vectra.
“Note that some of the leaked data was private information collected from people whose phone applications T-Mobile had rejected several years before the breaches — information they had no reason to keep.”
T-Mobile has suffered repeated breaches and cybersecurity incidents in recent years. In 2020, it warned some US customers about follow-up fraud after some of its employee email accounts containing their information were hijacked.
In one incident earlier this year, the Lapsus hacker group claimed to have stolen source code from the company.