T-Mobile has agreed to pay $500 million to settle a class-action lawsuit stemming from the 2021 hack that it says exposed around 76.6 million US residents’ data. According to the proposed agreement filled on Friday, which you can read in full below, T-Mobile will put $350 million into a settlement fund to go to lawyers, fees, and, of course, to people who file claims. It’ll also be obligated to spend $150 million on “data security and related technology” during 2022 and 2023, in addition to what it had already budgeted for.
In August, the company announced that its systems had been breached, following reports that Social Security numbers, names, addresses, and driver’s license information for over 100 million of its customers was for sale. While the number proved to be slightly inflated, T-Mobile’s figure of how many people were impacted continued to rise over the rest of the month. T-Mobile’s CEO called this security breach — its fifth in four years — “humbling.”
The proposed settlement agreement still has to be approved by a judge, but if it is, T-Mobile will have 10 days to put money in the fund to cover the costs of notifying people who are eligible to claim. According to the settlement, that covers “the approximately 76.6 million U.S. residents identified by T- Mobile whose information was compromised in the Data Breach,” with a few caveats for some of the carrier’s employees and people close to the judges that presided over the case. In the interest of full disclosure, that could very well mean that I’m eligible to apply for compensation, as I was a T-Mobile customer when the hack occurred.
The settlement agreement doesn’t contain estimates on how much each claimant can expect to receive, though it’s difficult to estimate that kind of thing until it’s clear how many people will make claims.
The lawsuit that T-Mobile is hoping to settle here accused the company of failing to protect its past, present, and prospective customers’ data, not properly notifying people who may have been impacted, and overall having “inadequate data security.” T-Mobile denies these allegations in the agreement, saying that the settlement doesn’t constitute an admission of guilt. In a filing with the Securities and Exchange Commission, the carrier says it “has the right to terminate the agreement under certain conditions” laid out in the proposed agreement but says that it anticipates having to pay out the claims.
Outside of this lawsuit, there have been other responses to T-Mobile’s data breach and others like it. The FCC proposed new rules surrounding such attacks, which aim to improve how a company communicates with people about their data.