After a 2021 cyberattack exposed millions of customers' personal information, T-Mobile agreed to a $350 million settlement to resolve claims that its negligence led to the breach. It was second-largest data breach settlement in US history, following Equifax's $700 million settlement in 2019.
The last day to submit a claim for part of the massive payout was Monday, Jan. 23, 2023. Just days before that deadline, though, T-Mobile announced another cyberattack on Jan. 19, one that impacted at least 37 million current customers.
T-Mobile attorney Kristy Brown called the latest attack "an altogether separate and different security incident" from the 2021 breach, adding that potential victims would be able to seek redress separately.
For more settlements, find out if you qualify for Avis' $45 million deal over hidden fees or AT&T's $60 million data-throttling payout.
What happened in the T-Mobile cybersecurity incident?
On Aug. 15, 2021, T-Mobile reported that it had suffered a massive cyberattack. Exactly how many customers were impacted isn't immediately clear: T-Mobile has said that only about 850,000 people's names, addresses and PINs were "compromised."
According to court filings, however, approximately 76.6 million people had their data exposed. And a hacker selling the information on the dark web told Vice they had personal information relating to more than 100 million T-Mobile users.
T-Mobile didn't acknowledge any wrongdoing but, in a statement shared with CNET, said that, "like every company, we are not immune to these criminal attacks."
John Binns, an American living in Turkey, eventually took responsibility for the breach, the fifth such attack on T-Mobile since 2015.
"I was panicking because I had access to something big," Binns told The Wall Street Journal. "Their security is awful."
According to plaintiffs in a class action lawsuit, T-Mobile should have better protected sensitive consumer data.
"Instead, T-Mobile suffered one of the largest and most consequential data breaches in US history, compromising the sensitive personal information of over 75 million consumers," their complaint read.
In March 2022, T-Mobile also fell prey to the hacker ring Lapsus$, which accessed employee accounts and attempted to find T-Mobile accounts associated with the FBI and the Department of Defense.
Who was eligible for money in the settlement?
T-Mobile identified 76 million past and present customers in the US whose information was potentially compromised in the data breach, though the actual number may be even higher. (You could confirm your status by emailing the settlement administrator or calling 833-512-2314.)
Most class members were notified of the proposed settlement by mail.
Fewer than 2 million class members filed a claim, according to Law.com, far lower than the average response rate given the number of people impacted.
What did T-Mobile offer customers affected by the data breach?
Current and former T-Mobile customers were eligible for a $25 cash payment, according to the settlement website. California residents were entitled to $100.
If you had to spend time or money to recover from fraud or identity theft relating to the breach, you could be reimbursed up to $25,000, though you had to submit extensive documentation supporting your claim.
T-Mobile offered two free years of McAfee's ID Theft Protection Service to anyone who believed they may have been a victim of the hack. It also agreed to invest $150 million in improving its data security.
What's T-Mobile doing to protect against future data breaches?
T-Mobile has doubled down on fighting hackers, the company said in its July 22 statement. It's boosting employee training, collaborating on new protocols with industry experts like Mandiant and Accenture and creating a cybersecurity office that reports directly to CEO Mike Sievert.
Read more: How to Protect Your Personal Data After a Security Breach