T-Mobile US to pay $350 million, plus security expenses, for 2021 data breach

Image: 123RF

T-Mo will also inject an additional $150 million in data security spending

T-Mobile US has agreed to a $350 million settlement in a class action lawsuit over a 2021 security breach at the company that was the largest on record and compromised the data of tens of millions of customers current, past and potential.

As part of the settlement, the network operator also pledged to spend an additional $150 million on data security through 2023, bringing total settlement spending to $500 million.

The proposed class action settlement “contains no admission of liability, wrongdoing or liability,” according to a company filing with the Securities and Exchange Commission. It could be approved as early as December 2022.

As a result of the proposed settlement and additional settlements the company is working on, T-Mo said it expects a financial charge of $400 million recorded in its second quarter 2022 financial results. second quarter tomorrow.

T-Mobile US originally stated at the time of the breach that the information of approximately 13.1 million current postpaid customers had associated information accessed illegally, that data files containing information on approximately 40.6 million “of former or potential T-Mobile customers” had been compromised, and this information, including account PINs, was hacked for approximately 900,000 active T-Mobile or Metro prepaid customers. The information included customers’ first and last names, social security numbers, and driver’s license information, among other personal details. Ultimately, T-Mo concluded that the total number of people affected was around 76.6 million.

A 21-year-old US citizen living in Turkey claimed responsibility for the attack; he spoke to several media outlets, provided evidence to support his claim to the wall street journal and said he carried out the attack in retaliation for being targeted by US law enforcement for his alleged involvement in a malicious botnet. The man then filed a lawsuit against the Justice Department, FBI and CIA in Washington, DC District Court, then had the case dismissed a month later.

T-Mobile US CEO Mike Sievert said in the immediate aftermath of the breach that T-Mobile US expanded its relationship with security firm Mandiant and began working with KPMG to strengthen its security strategy.

T-Mobile US has weathered a number of major data breaches (having confirmed half a dozen since 2018, according to TechCrunch), but the 2021 incident was its biggest consumer information breach to date. And the security challenge is ongoing and ever-changing, for network operators and other leading technology companies that are targeted by cybercriminals. More recently, security researcher Brian Krebs reported in April this year that he obtained chat logs from hackers discussing the theft of T-Mobile US source code after gaining access to internal software tools for employees. which allowed them to “exchange SIM cards” or reassign a mobile. number to a device under the control of hackers in order to intercept information.

The LAPSUS$ hackers used their access to search for T-Mobile US that they were associated with the FBI and US Department of Defense, Krebs wrote (and provided screenshots), but those accounts couldn’t be edited. as they required additional verification processes.

T-Mobile US told Krebs that its monitoring tools detected the use of stolen credentials in its internal systems, but “the systems accessed did not contain any customer or government information or other similar sensitive information. , and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as expected, the intrusion was promptly stopped and closed, and the compromised credentials used are become obsolete.