When T-Mobile compromised the sensitive personal information of more than 76 million current, former, and prospective customers in 2021, plaintiffs involved in a class action lawsuit complained that the company continued profiting off their data while attempting to cover up “one of the largest and most consequential data breaches in US history.”
Now, T-Mobile has admitted no guilt but has agreed to pay a $500 million settlement (pending a judge’s approval), out of which $350 million will go to the settlement fund and “at least $150 million” will go toward enhancing its data security measures through 2023.
T-Mobile declined to tell Ars about specific upcoming plans to improve data security, instead linking to a statement that outlines measures it has taken to “double down” on security in the past year. That includes creating a Cybersecurity Transformation Office that directly reports to T-Mobile CEO Mike Sievert; collaborating with cybersecurity firms to “further transform our cybersecurity program;” ramping up employee cybersecurity training; and investing “hundreds of millions of dollars to enhance our current cybersecurity tools and capabilities.”
All T-Mobile customer payouts from the proposed settlement will be disbursed through an independent third-party settlement administrator. The agreement says that T-Mobile will have 10 days to send funds to the settlement administrator to start the process of notifying everybody who has been deemed eligible to file claims.
Right now, nobody knows exactly how big the individual payouts will be, because that figure will depend on the total number of complaints filed if the settlement is reached. T-Mobile says everyone whose data has been compromised has been notified already, while lawyers representing people suing T-Mobile have said it’s still possible that more victims will be identified. At least one law firm set up an email address to field questions from anyone concerned about missing out on the proposed settlement. In the proposed settlement agreement, T-Mobile also said that a toll-free number and website would be set up to answer all remaining questions.
In its statement, T-Mobile says it’s “pleased to have resolved this consumer class action filing.”
For T-Mobile customers injured by the data breach, the pain is not expected to ever really end, though. In their complaint, customers say they’ll continue paying for T-Mobile’s weak security choices. They view their data as forever compromised, and they claim they’ll need to pay for ongoing identity theft protection moving forward, with the “certain, imminent, and ongoing threat of fraud and identity theft” always looming.
T-Mobile’s data security missteps
Perhaps the most straightforward example of T-Mobile not properly disclosing information about the breach was in its seeming cover-up of hacked accounts where Social Security numbers were leaked. In the complaint, customers shared text and email notifications that T-Mobile sent that generalized the data leak and did not caution that a customer’s Social Security number was leaked when it was; but when it wasn’t, T-Mobile sent different notifications that specifically reassured customers that Social Security numbers were not leaked. The contradiction suggests that T-Mobile willfully hid details of the data breach from those most vulnerable to identity theft.
Perhaps most egregious among allegations claiming that T-Mobile did not take basic steps to properly safeguard data was a complaint that the company did not rely on an industry-standard practice for data protection called “rate limiting.”
Rate limiting is a way to stabilize servers from being hit with too many requests at once. By limiting how many requests a server can receive during a given timeframe, it helps prevent resource starvation for normal users and blocks hackers from inundating servers with requests. Anyone who has ever been locked out while attempting too many failed logins in a row has experienced the effectiveness of this defense.