T-Mobile reaches $500M settlement in data breach

T-Mobile agreed to settle a class action suit over the 2021 data breach that exposed sensitive information for millions of customers.

The company agreed to pay $350 million to fund claims submitted by class members, and on top of that will spend another $150 million on data security and related technology in 2022 and 2023.

The case involves more than 76.6 million U.S. residents identified by T-Mobile whose information was compromised in the data breach, according to the preliminary settlement filed in the U.S. District Court for the Western District of Missouri, where multiple cases were consolidated.

Final court approval of the settlement terms is expected as early as December 2022 but could be delayed by appeals or other proceedings, according to an Securities and Exchange Commission (SEC) report filed on Friday.

If approved by the court, the settlement is expected to resolve substantially all of the claims brought by the company’s current, former and prospective customers who were impacted by the 2021 cyberattack, the company said in the SEC filing.

T-Mobile expects to record a total pre-tax charge of about $400 million in the second quarter of 2022, which was already accounted for in its financial guidance.

The company admitted no wrongdoing in the breach, which surfaced last August. Back then, CEO Mike Sievert issued an apology and said the company was taking measures to protect against future incidents.

The breach didn’t expose any customer financial information, but names, addresses, birth dates, Social Security numbers and driver’s license IDs were among the items exposed.  

In January, FCC Chairwoman Jessica Rosenworcel circulated a Notice of Proposed Rulemaking (NPRM) among her colleagues with the intent of strengthening the agency’s rules for notifying customers and federal law enforcement of breaches of customer data, known as customer proprietary network information (CPNI). 

Current law already requires telecom carriers to protect the privacy and security of sensitive customer information, but Rosenworcel said the rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.