• Operator agrees hefty sum to settle class action suit after customer data stolen in cyberattack last August.
  • $350m to fund claims submitted by class members and legal fees; remainder to be spent on data security tech until 2023.
  • Settlement still needs preliminary and final court approval.


T-Mobile US takes $500m hit on data breach

Source: Unsplash / Sharon McCutcheon

T-Mobile US agreed to pay a total of $500m (£416m/€489m) to settle a class action suit related to a cyberattack last August in which personal customer information was stolen from the operator’s servers.

According to media reports at the time, hackers were boasting in an online forum that the personal data of 100 million T-Mobile customers, including social security numbers and drivers’ licence information, was up for sale.

However, in its filing to the US Securities and Exchange Commission disclosing the details of settlement, T-Mobile’s account of the data breach was couched in less emotive terms.

T-Mobile US”, stated the filing, “entered into an agreement to settle a consolidated class action lawsuit asserting claims related to a 2021 criminal cyberattack involving unauthorised access to the company’s systems in which certain information about a number of the company’s current, former, and prospective customers was compromised”.

Under the terms of the settlement, T-Mobile will pay an aggregate of $350m to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The operator said it will also commit to an aggregate incremental spend of $150m for data security and “related technology” in 2022 and 2023.

In connection with the proposed class action settlement and separate settlements, the operator expects to record a total pre-tax charge of approximately $400m when it announces its quarter ended 30 June 2022 (Q1 FY22–23) financial results later this week. The $350m charge and the $150m incremental spend, said T-Mobile, are already baked into previously announced financial guidance.

The settlement still needs preliminary and final court approval, which T-Mobile expects might happen as early as December, “but could be delayed by appeals or other proceedings”. The operator added that it has the right to terminate the agreement “under certain conditions”, although did not elaborate on what those might be in its SEC filing.

Red faces all round

T-Mobile top brass will no doubt be hoping that the class action suit settlement can help repair what was a PR disaster, and give it more time to build up better security credentials.

Shortly after the data breach last August, T-Mobile CEO Mike Sievert announced partnerships with US cybersecurity firm Mandiant and consulting firm KPMG to help the company clean up its security act. The partnerships are “part of a substantial multi-year investment to adopt best-in-class practices and transform our approach”, he said.

For customers, the operator said it will offer free two-year subscriptions to McAfee’s ID Theft Protection Service and provide Account Takeover Protection to contract customers.