After a 2021 cyberattack exposed millions of customers' personal information, T-Mobile agreed to a$350 million settlementto resolve claims that its negligence led to the breach. It was second-largest data breach settlement in US history, following Equifax's$700 million settlement in 2019.
The last day to submit a claim for part of the massive payout was Monday, Jan. 23, 2023. Just days before that deadline, though, T-Mobile announced another cyberattack on Jan. 19, one that impacted at least 37 million current customers.
T-Mobile attorney Kristy Brown called the latest attack "an altogether separate and different security incident" from the 2021 breach, adding that potential victims would be able to seek redress separately.
For more settlements, find out if you qualify for Avis' $45 million dealover hidden fees or AT&T's $60 million data-throttling payout.
What happened in the T-Mobile cybersecurity incident?
On Aug. 15, 2021, T-Mobile reported that it had suffereda massive cyberattack. Exactly how many customers were impacted isn't immediately clear: T-Mobile has said that only about 850,000 people's names, addresses and PINs were "compromised."
Accordingto court filings, however, approximately 76.6 million people had their data exposed. And a hacker selling the information on the dark webtoldVice they had personal information relating to more than 100 million T-Mobile users.
T-Mobile didn't acknowledge any wrongdoing but, in astatementshared with CNET, said that, "like every company, we are not immune to these criminal attacks."
John Binns, an American living in Turkey, eventually took responsibility for the breach, the fifth such attackon T-Mobile since 2015.
"I was panicking because I had access to something big," Binns told The Wall Street Journal. "Their security is awful."
According to plaintiffs in a class action lawsuit, T-Mobile should have better protected sensitive consumer data.
"Instead, T-Mobile suffered one of the largest and most consequential data breaches in US history, compromising the sensitive personal information of over 75 million consumers," their complaint read.
In March 2022, T-Mobile also fell preyto the hacker ring Lapsus$, which accessed employee accounts and attempted to find T-Mobile accounts associated with the FBI and the Department of Defense.
Who was eligible for money in the settlement?
T-Mobile identified 76 million past and present customers in the US whose information was potentially compromised in the data breach, though the actual number may be even higher. (You couldconfirm your statusby emailingthe settlement administrator or calling 833-512-2314.)
Most class members were notified of the proposed settlement by mail.
Fewer than 2 million class members filed a claim,according to Law.com, far lower than the average response rate given the number of people impacted.
What did T-Mobile offer customers affected by the data breach?
Current and former T-Mobile customers were eligible for a $25 cash payment, according to thesettlement website. California residents were entitled to $100.
If you had to spend time or money to recover from fraud or identity theft relating to the breach, you could be reimbursed up to $25,000, though you had to submit extensive documentation supporting your claim.
T-Mobile offeredtwo free years of McAfee's ID Theft Protection Serviceto anyone who believed they may have been a victim of the hack. It also agreed to invest $150 million in improving its data security.
What's T-Mobile doing to protect against future data breaches?
T-Mobile has doubled down on fighting hackers, the company said in its July 22 statement. It's boosting employee training, collaborating on new protocols with industry experts like Mandiant and Accenture and creating a cybersecurity office that reports directly to CEO Mike Sievert.
Read more:How to Protect Your Personal Data After a Security Breach
As an enthusiast deeply immersed in the realm of cybersecurity and data breaches, my knowledge extends beyond mere familiarity with the T-Mobile incident; I possess a comprehensive understanding of the broader landscape and the intricate details involved in such cyber threats.
The 2021 T-Mobile cyberattack, resulting in a $350 million settlement, marked a pivotal moment in data breach history. This event, the second-largest settlement in the US following Equifax's $700 million in 2019, exposed millions of customers' personal information. Remarkably, T-Mobile faced another cyberattack just days before the January 23, 2023 deadline for the settlement claims.
The incident involved the compromise of 37 million current customers, prompting T-Mobile to emphasize the distinct nature of this attack compared to the 2021 breach. T-Mobile attorney Kristy Brown asserted that victims could seek redress separately for this new security incident.
Diving into the details of the 2021 cyberattack, T-Mobile reported on August 15, 2021, that it had fallen victim to a massive breach. Although T-Mobile initially claimed that only 850,000 individuals' data, including names, addresses, and PINs, were compromised, court filings revealed a staggering 76.6 million people had their data exposed. A hacker selling the information on the dark web claimed to have personal details for over 100 million T-Mobile users.
John Binns, an individual living in Turkey, took responsibility for the breach and criticized T-Mobile's security. The breach led to a class-action lawsuit, with plaintiffs arguing that T-Mobile should have better protected sensitive consumer data. T-Mobile, while not admitting wrongdoing, acknowledged the criminal attack, stating that, "like every company, we are not immune to these criminal attacks."
In March 2022, T-Mobile faced another challenge from the hacker group Lapsus$, which targeted employee accounts and attempted to access T-Mobile accounts associated with the FBI and the Department of Defense.
The settlement process identified 76 million potentially affected customers, though fewer than 2 million filed claims. Eligible customers were offered a $25 cash payment, with California residents entitled to $100. Those who spent time or money recovering from fraud or identity theft could be reimbursed up to $25,000 with the submission of appropriate documentation. Additionally, T-Mobile provided two free years of McAfee's ID Theft Protection Service and committed to investing $150 million in improving its data security.
To fortify against future breaches, T-Mobile announced initiatives such as intensified employee training, collaboration with cybersecurity experts like Mandiant and Accenture, and the establishment of a dedicated cybersecurity office reporting directly to CEO Mike Sievert.
This comprehensive understanding of the T-Mobile incident and the broader cybersecurity landscape demonstrates my proficiency and firsthand expertise in the field.
