iPhone 14 Pro vs. Galaxy S22 Ultra HP Pavilion Plus Planet Crossword Pixel Watch Apple Watch Ultra AirPods Pro 2 iPhone 14 Pro Camera Best Android Phones
Want CNET to notify you of price drops and the latest stories?
No, thank you
Accept

T-Mobile $350 Million Data Breach Settlement: Are You Eligible for Money?

A cyberattack affected nearly 80 million T-Mobile customers last year.

Woman looks at phone with T-Mobile logo on it
If approved, the T-Mobile settlement will be the second-largest data-breach payout in US history.
Rafael Henrique/SOPA Images/LightRocket via Getty Images

If you're a current or past T-Mobile customer, you may be owed money in a rather large legal settlement. T-Mobile has agreed to a $350 million payout to settle litigation over a 2021 cyberattack that exposed millions of users' personal information. 

The carrier hasn't acknowledged any wrongdoing, but in a statement shared with CNET,  said it was "pleased to have resolved this consumer class action filing." 

"Customers are first in everything we do and protecting their information is a top priority," T-Mobile said. "Like every company, we are not immune to these criminal attacks."

If given final approval, the agreement will be the second-largest data breach settlement in US history, following Equifax's $700 million settlement in 2019.

Find out what you need to know about the T-Mobile data breach, including who is eligible for a check, how much they might get and when the money could arrive.

For more on class-action suits, find out if you qualify for a payout from Facebook's $90 million settlement, the $190 million Capital One data breach case or AT&T's $14 million hidden-fees payout.

What happened in the T-Mobile data breach case?

On Aug. 15, 2021, T-Mobile reported a cyberattack had led to the theft of millions of people's personal information -- including names, addresses, birth dates, Social Security numbers, driver's license details and unique codes that identify individual phones.

Exactly how many people were hacked and how they were impacted is unclear: According to court filings, approximately 76.6 million people had their data exposed, but T-Mobile has claimed only about 850,000 people's names, addresses and PINs were "compromised."

An individual selling the information on the dark web for 6 bitcoin (approximately $277,000 at the time) told Vice they had data relating to over 100 million people, all compiled from T-Mobile servers.

John Binns, a 21-year-old living in Turkey, eventually took responsibility for the cyberattack, the fifth such attack that has hit T-Mobile since 2015. "I was panicking because I had access to something big," Binns told The Wall Street Journal. "Their security is awful."

The July 24 settlement, filed in the US District Court for the Western District of Missouri, merges at least 44 class-action suits that claimed T-Mobile was lax with its cybersecurity. It also stipulates that T-Mobile invest $150 million in improving data security. 

Cyberattacks aside, T-Mobile still expects to add 6 million to 6.3 million new customers this year -- making it the industry leader in subscriber growth over rivals AT&T and Verizon. 

How much money could I receive from the settlement?

Class members -- in this case, people who were T-Mobile customers in August 2021 -- could receive cash payments of $25, Reuters reported, or $100 if they are California residents. 

It could also be substantially less, depending on how many people respond. In addition to paying out claims, the $350 million has to go toward settling legal fees and administrative costs. The plaintiffs' lawyers may charge up to 30% of the settlement, according to court filings.

Separately, some people could receive as much as $25,000 to cover losses they suffered as a direct result of the breach.

T-Mobile is also offering two free years of McAfee's ID Theft Protection Service to anyone who believes they may have been a victim of the hack.

How do I find out if I qualify for a payment from T-Mobile?

T-Mobile has not released the full details of its payment plan. Typically class members are notified they are eligible by mail. (Full disclosure: This reporter was a T-Mobile customer at that time.) 

Read more: How to Protect Your Personal Data After a Security Breach

Once customers are notified, they are then given 90 days to submit claim forms or request to opt out of the settlement and reserve the right to pursue their own separate legal claims, according to court papers.

It could be several months before individuals find out if they will receive money from the settlement, TechCrunch reported. 

Phone with T-Mobile logo

After being notified, customers will have 90 days to submit claim forms or request to opt out of the settlement.

NurPhoto/Getty Images

When will payments go out?

Qualified class members likely won't see any money until at least 2023. T-Mobile has 30 days to provide the court with a list of class members, along with their phone numbers and mailing and email addresses, "to the extent available."

Once eligible parties are notified, claims can be submitted. Legal fees are deducted and the remaining money is divvied up among class members who sent back claims. That could take months.

In addition, the $350 million payout has only received preliminary approval. It still requires final sign-off from a judge, which T-Mobile said would come by December at the earliest. 

What is T-Mobile doing to protect against future security breaches?

T-Mobile has "doubled-down" on fighting hackers, the company said in its July 22 statement, by boosting employee training, collaborating with industry experts like Mandiant and Accenture on new protocols and creating a cybersecurity office that reports directly to the company's chief executive officer, Mike Sievert.

Security journalist Brian Krebs reported in April 2022 that T-Mobile was a victim of the hacking group Lapsus$.

The hackers accessed employee accounts and attempted to find T-Mobile accounts associated with the Department of Defense and FBI, TechCrunch reported. They were thwarted by secondary authentication checks.