T-Mobile has agreed to pay $500 million to settle a class action lawsuit launched after a 2021 data breach.
It will pay $350 million to settle claims and plaintiffs’ legal fees. It has also committed to spending a further $150 million on “data security and related technology” in 2022 and 2023, it said in an SEC filing.
Settlement of the T-Mobile class action suit (T-Mobile Customer Data Security Breach Litigation, Case No. 21-md-3019-BCW, pending in the Western District of Missouri), is subject to court approval.
The case was launched after 21-year-old hacker John Brinns accessed the data of 54 million customers and partners, telling press T-Mobile’s security was “awful”. He accessed phone numbers, dates of birth, social security details, IMEI and IMSI information, the typical identifier numbers associated with a mobile phone and more.
T-Mobile expects final court approval by December 2022: “[It] anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the Company, its subsidiaries and affiliates, and its directors and officers. The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants” it said.
T-Mobile reported $58.4 billion in full-year 2021 earnings. It expects cash capex of $13.5 billion in 2022.
It told investors in March 2022 that “we’re expanding the number of large multinational banks relying on T-Mobile for security, for compliance, for their hybrid workforce” — making the comments just five days after reports of another breach in which a group of teenage hackers hacked T-Mobile and downloaded over 30,000 source code repositories — also gaining access to Atlas, a T-Mobile tool for managing customer accounts
T-Mobile CEO Mike Sievert said in the wake of the 2021 T-Mobile breach (confirmed on August 17, 2021), that the telco had entered into long-term partnerships with Mandiant, and KPMG, saying “we know we need additional expertise to take our cybersecurity efforts to the next level—and we’ve brought in the help.”
Mandiant will “support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks” he said, while KPMG will “perform a thorough review of all T-Mobile security policies and performance measurement… focus on controls to identify gaps and areas of improvement.”