T-Mobile, mobile communications subsidiaries of the German telecommunications company Deutsche Telekom AG in the Czech Republic, Poland, the United States and by the former subsidiary in the Netherlands, has agreed to pay $350 million to settle a class action lawsuit focused on the 2021 data breach at the carrier that exposed information on more than 76 million people.
On Friday, T-Mobile announced the news in an SEC filing(Opens in a new window) and in court documents(Opens in a new window), making it the largest data breach settlement second only to Equifax’s agreement to pay $650 million.
In T-Mobile’s case, the $350 million would go toward reimbursing victims ensnared in the breach and paying the legal fees from the prosecuting attorneys behind the class action lawsuit. In addition, T-Mobile plans on spending another $150 million over the next two years to bolster the company’s data security.
Last year’s breach at the mobile carrier was particularly bad since it exposed social security numbers, addresses, dates of births, and driver’s license ID information for some former and current T-Mobile subscribers.
The data was exposed in a cyber attack involving a hacker, who managed to steal 106GB of data that also included information on prospective T-Mobile customers. The hacker then proceeded to sell the information to other cybercriminals on forums.
“During the weeks and months following the Data Breach, Plaintiffs allege that they and other class members suffered actual and attempted identity theft and fraud, including unauthorized credit applications filed in their names,” the proposed settlement says. This included hackers using the stolen information to break into victims’ banking and online accounts.
“Similarly, numerous Plaintiffs and other class members have been notified by third-party monitoring companies that their PII (personal identifying information) was located on the dark web as a result of the Data Breach,” the settlement adds. As a result, the data breach sparked dozens of victims to file lawsuits against the carrier, demanding it pay up in damages.
T-Mobile is now proposing offering up to $25,000 in reimbursement to any victims who suffered “out-of-pocket losses” resulting from the data breach. This also includes compensating victims for loss time responding to the breach, if evidence is provided.
“Settlement Class Members can claim $25 per hour, or their current hourly rate if higher and supported by documentation,” the court documents say. However, the settlement will only pay the $25 rate for “up to five hours of time spent responding to the Data Breach or up to fifteen hours of time spent addressing related Out-of-Pocket Losses.”
Victims who didn’t experience any losses can receive a $25 cash payment or a two-year subscription to an identity monitoring service. Residents living in California can receive a higher cash payment of $100.