Dive Brief:
- T-Mobile agreed to pay $500 million to settle a class-action lawsuit stemming from a 2021 cyberattack that exposed personal data on at least 76.6 million people.
- The settlement reached on Friday, which still requires final court approval, includes a $350 million payment to members of the class action and its related legal costs. T-Mobile also agreed to invest an additional $150 million in data security and cybersecurity technology in 2022 and 2023.
- The massive data breach, widely regarded as the largest carrier breach on record, marked the fifth publicly acknowledged security incident for T-Mobile in three years. The company assumed no admission of liability, wrongdoing or responsibility as part of the settlement.
Dive Insight:
The settlement amounts to a one-time payment of about $6.50 for each individual whose personal information was compromised in the attack. T-Mobile gets to invest 30% of that directly back into its own cybersecurity practice.
The lingering damage done by the latest attack could cost T-Mobile more in missed business opportunities.
The company is known for having poor security and “attackers take advantage of that. They are an easier target because of it,” Allie Mellen, senior analyst at Forrester, said in a phone interview prior to the settlement agreement.
“Ultimately it’s going to take them even longer to really build up their defensive strategies because of all these continued breaches, and they’re also a much bigger target because of it," she said.
The company previously told investors it expected to record a $400 million charge during the second quarter of 2022 in connection with legal settlements related to the August 2021 cyberattack.
T-Mobile said it expects the class-action lawsuit settlement to receive final court approval in December 2022, but that could be delayed by appeals or additional proceedings.
