T-Mobile US to cough up $550m after info stolen on 77m customers
Oops, did the Un-carrier under-count by 29m punters?
T-Mobile US has agreed to pay about $550 million to end legal action against it and improve its security after crooks infiltrated the self-described Un-carrier last summer and harvested personal data belonging to almost 77 million customers.
The cellular network operator (2021 net income: $3 billion) agreed to pay $350 million to cover legal fees and settle a class-action lawsuit brought by customers whose data was compromised in an August 2021 privacy breach, according to documents filed with the US Securities and Exchange Commission on Friday.
This payout will be divided up among 76.6 million US residents, according to the proposed settlement agreement [PDF], which is subject to approval by a district court judge. That'll be less than five dollars each if everyone claims, and a good chunk of the money will go to the lawyers involved.
It's worth noting that the number of customers affected by the security breach is much larger than the wireless giant admitted to last year. While crooks claimed to have stolen data belonging to 100 million — including their names, addresses, social security numbers and drivers license info — T-Mo execs at the time copped to a mere 48 million compromised customers.
After siphoning customers' data, criminals listed 30 million records on an underground forum to the tune of six Bitcoin or $280,000, and sold the rest privately, we're told. It's further reported, by Vice, that T-Mo even hired a third party – believed to be Mandiant – to exclusively obtain the data from the thieves for $200,000, to limit its spread, but the plan failed as the crooks continued to sell the stolen information.
In addition to writing checks to millions of customers to settle the class-action lawsuit, as well as settling other separate claims, the US mobile carrier will also spend $150 million on data security "related technology" this year and next.
This puts the total at about $550 million by the end of 2023, according to the SEC documents.
"In connection with the proposed class-action settlement and the separate settlements, the company expects to record a total pre-tax charge of approximately $400 million in the second quarter of 2022," plus "the $150 million incremental spend," the SEC filing noted.
In a statement on its website about the proposed settlement, T-Mobile US said it has "doubled down" on its "extensive cybersecurity program" over the past year.
- Twitter launches probe after miscreants claims to have swiped 5.4m users' details
- Un-carrier? Definitely Unsecure: T-Mobile US admits 48m customers' details stolen after downplaying reports
- T-Mobile US probes claims of 100m stolen customer records up for sale on dark web
- 1.9m patient records exposed in healthcare debt collector ransomware attack
This includes creating a "cybersecurity transformation office" that reports directly to the CEO, and adding "more top talent with decades of cyber strategy experience and leadership to our team."
Also over the last 12 months, T-Mo has participated "in long-term collaborations with industry experts Mandiant, Accenture, and KPMG to design strategies and execute plans to further transform our cybersecurity program."
It will also invest "hundreds of millions of dollars to enhance our current cybersecurity tools and capabilities," and conduct "nearly 900,000 training courses for employees and partners" about cybersecurity.
"Customers are first in everything we do and protecting their information is a top priority," according to T-Mobile US's statement. "Like every company, we are not immune to these criminal attacks."
The 2021 cyberattack was T-Mobile US's fifth publicly acknowledged security breach in four years. ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- RSA Conference
- Trusted Platform Module
- Zero trust