T-Mobilein a class action suit that alleged it allowed sensitive information from millions of current, past and prospective customers to be stolen by hackers last year.
If approved, the deal will be the second-largest data-breach settlement in US history, after Equifax’s agreement to pay $700 million in 2019.
The mobile carrier has not acknowledged any wrongdoing but in a statement shared with CNET, T-Mobile said it was “pleased to have resolved this consumer class action filing.”
“Customers are first in everything we do and protecting their information is a top priority,” T-Mobile added. “Like every company, we are not immune to these criminal attacks.”
In addition to paying affected customers, T-Mobile will invest $150 million in improving its data security, according to SEC filings.
Here’s what you need to know about the T-Mobile data-breach settlement, including who’s eligible for a payout, how much they could get and when the money might arrive.
For more, find out if you qualify for Facebook’s $90 class action settlement.
What happened in the T-Mobile data-breach case?
On August 15, 2021, T-Mobile reported a cyberattack had led to the theft of millions of people’s personal information. According to court documents, names, addresses, dates of birth, Social Security numbers, driver’s license details and other sensitive information were exposed, including unique codes that identified individual phones.
Exactly how many people were affected is unclear: According to court filings, 76.6 million people had their data exposed, but T-Mobile has claimed only about 850,000 people’s names, addresses and PINs were “compromised.”
An individual selling the information on the dark web for 6 bitcoin (approximately $277,000 at the time) told Vice they had data relating to over 100 million people, all compiled from T-Mobile servers.
John Binns, a 21-year-old living in Turkey, eventually took responsibility for the cyberattack, thethat has hit T-Mobile since 2015.
“I was panicking because I had access to something big,” Binns told The Wall Street Journal. “Their security is awful.”
The July 24 settlement, filed in the US District Court for the Western District of Missouri, merges at least 44 class action suits that claimed T-Mobile was lax with its cybersecurity and failed to protect personal information.
How do you find out if you qualify for a payment?
T-Mobile has not released the full details of its payment plan. Typically class members — in this case, people who were T-Mobile customers in August 2021 — are notified they are eligible by mail. (Full disclosure: This reporter was a T-Mobile customer at that time.)
Read more: How to Protect Your Personal Data After a Security Breach
Customers are then given 90 days to submit claim forms or request to opt out of the settlement and reserve the right to pursue their own separate legal claims, according to court papers.
It could be several months before individuals find out if they will receive money from the settlement, TechCrunch reported.
How much money could you receive?
Class members could receive cash payments of $25, Reuters reported, or $100 for California residents.
It could also be substantially less, depending on how many people respond. In addition to paying out claims, the $350 million has to go toward settling legal fees and administrative costs. The plaintiffs’ lawyers may charge up to 30% of the settlement, according to court filings.
Separately, some people could receive as much as $25,000 to cover losses they suffered as a direct result of the breach.
T-Mobile is also offering two free years of McAfee’s ID Theft Protection Service to anyone who believes they may have been a victim.
When might you receive your money?
Even if you qualify, you likely won’t see any money until at least 2023.
T-Mobile has 30 days to provide the court with a list of class members, along with their phone number and mailing and email addresses, “to the extent available.”
Once eligible parties are notified, claims are submitted, legal fees are deducted and the remaining money is divvied up among class members who sent back claim forms. That likely will take months.
In addition, the $350 million payout is preliminary. It still requires final approval from a judge, which T-Mobile says would come by December at the earliest.
What is T-Mobile doing to protect against future security breaches?
T-Mobile has “doubled-down” on fighting hackers, the company said in its July 22 statement, by boosting employee training, collaborating with industry experts like Mandiant and Accenture on new protocols and creating a cybersecurity office that reports directly to the company’s chief executive officer, Mike Sievert.
Security journalist Brian Krebs reported in April 2022 that T-Mobile was a victim of the hacking group Lapsus$.
The hackers accessed employee accounts and attempted to find T-Mobile accounts associated with the Department of Defense and FBI, TechCruch reported. They were thwarted by secondary authentication checks.