T-Mobile has agreed to pay $350 million to customers in a class-action lawsuit related to personal information stolen in a 2021 cyberattack.

T-Mobile disclosed the proposed settlement in a U.S. Securities and Exchange Commission filing. The lawsuit is pending in the U.S. District Court for the Western District of Missouri. The proposed settlement remains subject to preliminary and final court approval.

If approved by the court, under the terms of the proposed settlement, T-Mobile would pay $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement. It also would commit to spending $150 million for data security and related technology in 2022 and 2023.

The court could approve the settlement in December. However, appeals or other proceedings could delay it. T-Mobile can terminate the agreement under certain conditions.

Multiple T-Mobile Data Breaches

T-Mobile has disclosed numerous data breaches since 2018. Most recently, T-Mobile confirmed a data breach by the Lapsus$ extortion gang. It used stolen credentials and gained access to internal systems.

T-Mobile sent us the following statement regarding the class-action lawsuit settlement:

“Customers are first in everything we do and protecting their information is a top priority. Like every company, we are not immune to these criminal attacks. Our efforts to guard against them continue, and over the past year we have doubled down on our extensive cybersecurity program to enhance existing programs.”

Program enhancements include:

“As we continue to invest time, energy and resources in addressing this challenge, we are pleased to have resolved this consumer class action filing,” T-Mobile said.

No Admission of Wrongdoing

If approved, the settlement will resolve all claims brought by current, former and prospective customers impacted by the 2021 cyberattack. It contains no admission of liability, wrongdoing or responsibility.

Casey Ellis is founder and CTO of Bugcrowd.

Bugcrowd’s Casey Ellis

“On one hand, $350 million is a lot of money, and is a clear signal of the kinds of recovery and punitive costs which can be involved when a breach like this takes place,” he said. “On the other hand, 40 million records were involved in this breach overall. And a per-record penalty of $8.75 for losing something as impactful and difficult to protect and replace as a Social Security number seems like T-Mobile managed to get off fairly lightly here. Given this isn’t the only security issue affecting T-Mobile user data over the past few years, I’m pleased to see that the pain of staying the same has exceeded the pain of change, and that they’ll be investing in improving user data security in a focused and proactive way in response to this.”

T-Mobile ‘Repeatedly Lax’ with Controls

John Bambenek is principal threat hunter at Netenrich. He said the settlement represents less than half of 1% of T-Mobile’s annual revenue.

Netenrich’s John Bambenek

“Their stock price is up 2% today, at the present time,” he said. “Certainly T-Mobile needs to do better. But with those numbers, I wouldn’t be expecting any major culture shifts anytime soon.”

Oliver Tavakoli is CTO at Vectra.

“T-Mobile has repeatedly been lax in applying minimally acceptable controls to prevent these violations of end user’s privacy and is now paying a fine the size of which should make other organizations take notice,” he said.

Some of the data leaked was private information T-Mobile collected from individuals whose applications for phones it rejected, Tavakoli said. It collected that information several years prior to the breaches.

“[That’s] information which they had no rationale to even keep,” he said.