T-Mobile to pay $500M for one of the largest data breaches in US history [Updated]

When T-Mobile compromised the sensitive personal information of more than 76 million current, former, and prospective customers in 2021, plaintiffs involved in a class action lawsuit complained that the company continued profiting off their data while attempting to cover up “one of the largest and most consequential data breaches in US history.”

Now, T-Mobile has admitted no guilt but has agreed to pay a $500 million settlement (pending a judge’s approval), out of which $350 million will go to the settlement fund and “at least $150 million” will go toward enhancing its data security measures through 2023.

T-Mobile declined to tell Ars about specific upcoming plans to improve data security, instead linking to a statement that outlines measures it has taken to “double down” on security in the past year. That includes creating a Cybersecurity Transformation Office that directly reports to T-Mobile CEO Mike Sievert; collaborating with cybersecurity firms to “further transform our cybersecurity program;” ramping up employee cybersecurity training; and investing “hundreds of millions of dollars to enhance our current cybersecurity tools and capabilities.”

All T-Mobile customer payouts from the proposed settlement will be disbursed through an independent third-party settlement administrator. The agreement says that T-Mobile will have 10 days to send funds to the settlement administrator to start the process of notifying everybody who has been deemed eligible to file claims.

Right now, nobody knows exactly how big the individual payouts will be, because that figure will depend on the total number of complaints filed if the settlement is reached. T-Mobile says everyone whose data has been compromised has been notified already, while lawyers representing people suing T-Mobile have said it’s still possible that more victims will be identified. At least one law firm set up an email address to field questions from anyone concerned about missing out on the proposed settlement. In the proposed settlement agreement, T-Mobile also said that a toll-free number and website would be set up to answer all remaining questions.

In its statement, T-Mobile says it’s “pleased to have resolved this consumer class action filing.”

For T-Mobile customers injured by the data breach, the pain is not expected to ever really end, though. In their complaint, customers say they’ll continue paying for T-Mobile’s weak security choices. They view their data as forever compromised, and they claim they’ll need to pay for ongoing identity theft protection moving forward, with the “certain, imminent, and ongoing threat of fraud and identity theft” always looming.

[Update: Attorney Cari Laufenberg, co-lead counsel for plaintiffs, provided a link to T-Mobile's settlement website for updates and says, "The settlement provides unprecedented relief to a class of this size and was achieved early in the litigation, meaning benefits will be in the hands of class members much sooner than can usually be accomplished in these cases."]

T-Mobile’s data security missteps

A lot went wrong for T-Mobile’s data breach to occur, but plaintiffs say the company broke the terms of its own privacy policy by not properly disclosing information about the breach or building proper safeguards to reasonably protect data in the first place.

Perhaps the most straightforward example of T-Mobile not properly disclosing information about the breach was in its seeming cover-up of hacked accounts where Social Security numbers were leaked. In the complaint, customers shared text and email notifications that T-Mobile sent that generalized the data leak and did not caution that a customer’s Social Security number was leaked when it was; but when it wasn't, T-Mobile sent different notifications that specifically reassured customers that Social Security numbers were not leaked. The contradiction suggests that T-Mobile willfully hid details of the data breach from those most vulnerable to identity theft.

Perhaps most egregious among allegations claiming that T-Mobile did not take basic steps to properly safeguard data was a complaint that the company did not rely on an industry-standard practice for data protection called “rate limiting.”

Rate limiting is a way to stabilize servers from being hit with too many requests at once. By limiting how many requests a server can receive during a given timeframe, it helps prevent resource starvation for normal users and blocks hackers from inundating servers with requests. Anyone who has ever been locked out while attempting too many failed logins in a row has experienced the effectiveness of this defense.

One of the hackers behind the data breach, John Binns, claimed that “none of T-Mobile’s hacked servers had rate limiting enabled.” Because of that, his brute-force attacks submitting many passwords and phrases at once in hopes of guessing correct logins to break into T-Mobile’s IT servers worked.

T-Mobile says that it most regrets security practices that allowed the breach to happen, but what prolonged injuries for many plaintiffs was T-Mobile’s decision not to promptly notify customers when the data breach occurred. Some customers only found out their data was compromised because they already used third parties to monitor their data online. Those third parties notified them before T-Mobile did.

The FBI found that instead of telling customers what happened, T-Mobile tried to buy the breached data, seemingly expecting the hacker would delete the database and the problem might disappear. Instead, Binn’s co-conspirators kept on selling the data, as more customers became notified by third parties, rather than T-Mobile. Vice eventually reported how widespread the problem was, leading to the lawsuit.

The largest number of people affected weren’t even current T-Mobile customers. About 40 million were either former or prospective customers who had their names, birth dates, driver’s licenses, and Social Security numbers stolen. Just shy of 8 million individuals who were current customers had that data stolen, plus their phone numbers and other identifying mobile phone information. Another 5 million customers had their names, addresses, birth dates, and phone numbers stolen. T-Mobile estimates the total number of people affected is around 76.6 million.

Back when the data breach occurred last year, T-Mobile CEO Mike Sievert wrote that his team was “truly sorry” that “we didn’t live up to the expectations we have for ourselves to protect our customers.” He promised to “rebuild trust,” in part by enhancing web security measures to prevent future attacks on T-Mobile servers.

At that time, T-Mobile announced efforts like “offering two years of free identity protection services” to anyone affected. The company also suggested best practices for customers to protect their own data following the breach, like resetting their PINs and passwords.

Some plaintiffs say they’ll be using a portion of any settlement agreed upon to pay hundreds more out of pocket for identity theft protection for the rest of their lives, because their data is already out there. At least one plaintiff already spent hours dealing with an “unknown loan or debt applied for in his name, which appeared on his credit reports following the breach.” Another had to deal with filing multiple disputes after their information was fraudulently used in “multiple unauthorized attempts to receive unemployment from the State of Pennsylvania and State of Delaware.”