T-Mo will also pump an additional $150 million into data security spending
T-Mobile US has agreed to a $350 million settlement in a class action lawsuit over a 2021 security breach at the company that was the its largest ever and resulted in the data of tens of millions of current, former and prospective customers being compromised.
As part of the settlement, the network operator also committed to spending an additional $150 million on data security through 2023, bringing the total settlement-related spending to $500 million.
The proposed class action settlement “contains no admission of liability, wrongdoing or responsibility,” according to a company filing with the Securities and Exchange Commission. It could be approved as soon as December 2022.
As a result of the proposed settlement and additional settlements that the company is working through, T-Mo said to expect a $400 million financial charge recorded in its second-quarter 2022 financial results. The carrier is scheduled to report its Q2 results tomorrow.
T-Mobile US originally said around the time of the breach that the information of about 13.1 million current postpaid customers had associated information illegally accessed, that data files with information on about 40.6 million “former or prospective T-Mobile customers” were compromised, and that information including account PINS was breached for around 900,000 active T-Mobile or Metro prepaid customers. The information included customers first and last names, Social Security numbers and drivers license information, among other personal details. Ultimately, T-Mo concluded that the total number of people affected was around 76.6 million.
A 21-year-old U.S. citizen living in Turkey claimed responsibility for the attack; he spoke to multiple media outlets, provided evidence to support his claim to the Wall Street Journal and said that he conducted the attack in retaliation for being targeted by United States law enforcement agencies over alleged involvement in a malicious botnet. The man subsequently filed a lawsuit against the Department of Justice, FBI and CIA in Washington, D.C. District Court, then had the case dismissed a month later.
T-Mobile US CEO Mike Sievert indicated in the immediate wake of the breach that T-Mobile US expanded its relationship with security company Mandiant and began working with KPMG to bolster its security strategy.
T-Mobile US has weathered a number of large data breaches (having confirmed half a dozen since 2018, according to TechCrunch), but the 2021 incident was its largest-to-date breach of consumer information. And the challenge of security is ongoing and constantly evolving, for network operators and other high-profile tech companies that are targeted by cybercriminals. Most recently, security researcher Brian Krebs reported in April of this year that he had obtained chat logs from hackers discussing theft of source code from T-Mobile US after accessing internal employee software tools that allowed them to “SIM swap,” or reassign a mobile number to a device under the hackers’ control in order to intercept information.
LAPSUS$ hackers used their access to look up T-Mobile US according that were associated with the FBI and the U.S. Department of Defense, Krebs wrote (and provided screenshots), but those accounts could not be changed because they required additional verification processes.
T-Mobile US told Krebs that its monitoring tools had detected the use of stolen credentials in its internal systems but that “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”