If you were one of the nearly 77 million people affected by last year’s T-Mobile breach, you may have a few bucks coming your way. The company has just announced the terms of a settlement in a consolidated class action lawsuit, and it isn’t cheap: $350 million to be split up by customers (and lawyers), plus $150 million “for data security and related technology.” Let this be a lesson to all companies: If you stay ready, you don’t have to spend $150 million to get ready!
The breach apparently occurred sometime early last year, after which collections of T-Mobile customer data were put up for sale on various criminal forums. Estimates of how many people were affected varied, with T-Mobile claiming less than a million had accounts and PINs fully exposed (still not great), and somewhere between 40 and 100 million users total with some data taken.
The settlement, described in an SEC filing and court filing (PDF) first spotted by Geekwire, doesn’t appear to have separate terms for people affected differently by the hack — but that might have been handled separately for all we know. For now, the class defined by the settlement document is “the approximately 76.6 million U.S. residents identified by T-Mobile whose information was compromised in the Data Breach,” with a little extra legalese for Californians, where class actions are handled slightly differently.
As is common in these giant lawsuits, lawyers take a huge bite and then the company must alert the class members they’re owed money, so you can expect a postcard if you were a T-Mobile customer in August of 2021 (in the interest of full disclosure, I was). Then the money gets split up, depending on how many people respond and how much the lawyers take. The final settlement terms could be approved as early as December.
Chances are you won’t even be able to cover a single monthly mobile bill with what you get, but these days a $9 check might be the difference between “dinner” and “no dinner” for quite a few people, so let’s not mock these small sums — except that it’s kind of insulting to have five serious breaches in as many years and all customers get is enough to order off the value menu.
The company, which merged with Sprint just before the breach, said in its SEC filing that it will be dedicating $150 million to improving its security, so maybe it’s taking things seriously now. Guess we’ll find out soon.
To guard against data loss and misuse, the cybersecurity conversation must evolve