Class-action lawsuit forces T-Mobile to pay $350m for data leak incident

To settle a class-action lawsuit, T-Mobile paid US$350 million for a 2021 hack that leaked about 76.6 million US residents’ data.

The US communications giant has also been ordered to spend $150 million on "data security and related technology" in 2022 and 2023, on top of what the company had already budgeted for the next year.

T-Mobile announced the hack in August 2021, confirming its systems had been breached, after reports that over 100 million of its customers' sensitive data including Social Security numbers, names, addresses, and drivers' license numbers were up for sale.

According to the "Class Action Settlement Agreement and Release" document filed at the US District Court of Missouri, "this Agreement fully and finally compromises and settles any and all claims that are, were, or could have been asserted in the litigation styled In re: T-Mobile Customer Data Security Breach Litigation".

The proposed settlement agreement will still need to be approved by a judge. Once approved, T-Mobile will have 10 days to put money into the fund to cover the costs of notifying people who are eligible to claim.

The settlement covers "the approximately 76.6 million US residents identified by T-Mobile whose information was compromised in the data breach", with a few caveats for some of the carrier's employees and people close to the judges that presided over the case. However, the settlement agreement did not list any estimates on how much each claimant can expect to receive.

The lawsuit T-Mobile is aiming to settle accused the company of failing to protect its past, present, and prospective customers' data, not properly notifying people who may have been impacted, and having "inadequate data security" overall.

According to T-Mobile, the settlement doesn't constitute an admission of guilt and denies the allegations listed in the agreement. The company "has the right to terminate the agreement under certain conditions" laid out in the proposed agreement, it stated on a US Securities and Exchange Commission filing, but it anticipates having to pay out the claims.

Outside of this lawsuit, there have been other responses to T-Mobile's data breach and others like it. The US Federal Communications Commission (FCC) proposed new rules surrounding such attacks, which aim to improve how a company communicates with people about their data.