T-Mobile has reached a settlement in the US with the victims of a data breach in mid-2021. The telecom company is prepared to pay an amount of 350 million dollars to end the legal battle. In addition, T-Mobile is earmarking an amount of 150 million dollars this year and next to improve information security. The court has yet to formally approve the settlement.
This is according to documents from the Missouri court (PDF).
Hacker steals personal data from tens of millions of (former) customers
In August 2021, a hacker managed to infiltrate T-Mobile’s corporate network. In this way he managed to loot names, addresses, IMEI numbers, driving licenses and social security numbers. He offered this personal data on a hacker forum on the dark web. For the entire dataset, he asked for an amount of 6 bitcoins, which at the time had a value of almost a quarter of a million dollars.
Initially, T-Mobile said it involved private data of 6 million customers and former customers. Later, the telecom company corrected this and adjusted the number of victims to 54.8 million. In addition to name and address details, identity details were also stolen from nearly 8 million customers.
An investigation showed that the hacker managed to penetrate the internal systems via a brute force attack. Mike Sievert, the CEO of T-Mobile, donned the robe and went deep into the dust. “Attacks like these are on the rise and hackers are looking every day for new ways to attack and exploit our systems. We invest a lot of time and energy to stay one step ahead, but we have not lived up to the expectations we have of ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event,” he said at the time.
The hacker responsible for the data breach told The Wall Street Journal that T-Mobile’s security was “horribly bad” . He managed to penetrate the company network via an unsecured router that was connected to the Internet.
Two mass claims filed against T-Mobile
The incident led to two mass claims being filed against T-Mobile. The first lawsuit focused on the risks that victims ran because their data had ended up on the street. In the indictment, the plaintiff argued that scammers could misuse the stolen personal data in all kinds of ways, for example by fraud with income tax. Due to T-Mobile’s negligence, victims ran “significant risks”.
The second mass claim claimed that victims had spent more than a thousand hours protecting themselves against possible privacy risks from the data breach. Victims had spent this time checking statements for unexplained payment transactions, unexplained purchases and other suspicious activity, among other things.
“T-Mobile knew its systems were vulnerable to attacks. However, it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal data. As a result, millions of customers are once again at high risk of fraud and identity theft . Customers expected and deserved better from the country’s second-largest provider,” the indictment read.
T-Mobile willing to pay hundreds of millions
We are now almost a year later and T-Mobile wants to throw in the towel. The telecom company is prepared to put an amount of 350 million dollars on the table. That money must be distributed among the participants of the mass claim. Part of the amount is intended to offset the plaintiffs’ legal costs.
In addition, T-Mobile is coughing up an amount of 150 million dollars to increase information security and to purchase related technology. Half of that will be paid this year, the other half in 2023. T-Mobile expects that the settlement will exempt it from all claims. The settlement contains no admission of liability, misconduct or responsibility by any of the plaintiffs.
The Missouri court has yet to approve the settlement. This is expected to happen in December 2022, but could possibly be delayed due to legal proceedings. T-Mobile reserves the right to terminate the settlement.
Catch up on more articles here
Follow us on Twitter here