Skip to content
Naked Security Naked Security

T-Mobile to cough up $500 million over 2021 data breach

Technically, it's not a fine, and the lawyers will get a big chunk of it. But it still adds up to a half-billion-dollar data breach.

Just under a year ago, the US arm of telecomms giant T-Mobile admitted to a data breach after personal information about its customers was offered for sale on an underground forum.

At the time, VICE Magazine claimed to have communicated with the hacker behind the breach via online chat, and to have been offered “T-Mobile USA. Full customer info.”

VICE’s Motherboard reporters wrote at the time that:

The data include[d] social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.

IMEI is short for International Mobile Equipment Identity, a globally unique serial number burned into your phone when it’s manufactured. Because the IMEI is considered a “non-resettable identifier”, apps on both Android and iOS are restricted from accessing it unless they have been granted special device management privileges, and developers are instructed to rely on user-resettable identifiers such as advertising IDs when legitimately tracking users and devices. You can view your phone’s IMEI by dialling the special phone number *#06#.

Reuters reports that T-Mobile has agreed, in a US federal court in Missouri, to make $350,000,000 available for what are known in America as class-action settlements.

Class actions involve individuals, who would otherwise need to sue individually for impossibly small amounts, banding together with a team of attorneys to bring lawsuits that combine their individual complaints.

Part of the $350 million mega-settlement, says Reuters, is up to $105,000,000 (30% of the total amount) for the lawyers, leaving a slightly less dramatic $245 million for the individuals who joined the suit.

Apparently, more than 75 million people were affected in the breach, though with the standard payout listed by Reuters as $25 per person, it looks as though fewer than 10 million of them decided to sign up to be part of the legal action.

According to Reuters, T-Mobile will also commit to spending “an additional US$150 million to upgrade data security”, bringing its total settlement pledge to half-a-billion dollars.

In return, T-Mobile doesn’t have to admit guilt, so this isn’t a fine or a criminal penalty – it’s a civil agreement to settle the matter.

The settlement still needs approval from from the court, something that’s expected to happen by the end of 2022.


8 Comments

105 Million for the lawyers whereas there’s just 25 left for each individual concerned?? Wow that sounds like quite a lucrative deal for the US legal profession, inconceivable to realize in juridicial systems across the European continent. It would interest me how many attorneys have been involved in that case and what amount of effort they actually had to expend in order to achieve this remarkable settlement. Needless to say that none of them would be willing to reveal any figures to the public.

If only I had known I could have been part of this suit,
I might have joined.

So, the lucky few could get $25, or if everyone were
included, $3.50. Sounds about right for a class action.

These class action suits always make money for the attorneys and leave the victim holding the bag of peanuts.

I could have been included in this if it also involved METRO by T-Mobile; as my identity was stolen early last year. For all the legwork I’ve had to do for my identity theft, the payout would definitely not be worth filing for it.

If your identity was stolen at the start of last year, then it’s reasonable to assume that it wasn’t related to this breach, which seems to have happened in the second half of the year…

That’s a lot!
They could had just donated it towards development or services delivery: now the richer gets rich .
They must just regulate the money,it’s governmental after all;

Oh looky here, you get a free week of phone service for one of the phones on your plan!

Why was T-mobile storing ss#’s when they no longer needed them? This breach has affected so many people, and it’s very frustrating when someone is very protective of their sensitive data and has their data exposed on the dark web and has to deal with all that comes along with that. $25? Seriously??!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?