T-Mobile logo

T-Mobile agrees to pay customers $350 million in settlement over data breach

T-Mobile has agreed to pay $350 million to settle class action claims related to a 2021 cyberattack which impacted around 80 million US residents. Under the proposed settlement, T-Mobile would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.

According to The New York Times, the filing in the US District Court for the Western District of Missouri states that the payment to each customer can’t exceed $2,500.

Data breach

In August 2021, a hacker claimed to have stolen 100 million people’s data from T-Mobile’s servers. This included data like names, driver licenses, addresses, and social security numbers. Roughly 850k active prepaid accounts had account PINs exposed.

After the merger with Sprint in 2020, T-Mobile reported having a total of 102.1 million US customers. Despite the claims of the hacker, initial estimates said some 55 million individuals were impacted. Later that number was raised to 80 million.

The settlement

T-Mobile has agreed to pay $350 million to settle multiple class-action suits stemming from the 2021 data breach. In a Securities and Exchange Commission filing, T-Mobile said the funds would pay for claims by class members, the legal fees of the plaintiffs’ counsel, and the costs of administering the settlement. It also said it would spend $150 million next year to fortify its data security and other technologies.

T-Mobile said the settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants.

Increased security

In a short statement on the proposed settlement, T-Mobile pledged to improve its security program by:

  • Creating a Cybersecurity Transformation Office that reports directly to the CEO, as well as adding more top talent with decades of cyber strategy experience and leadership to the team.
  • Engaging in long-term collaborations with industry experts to design strategies and execute plans to further transform the cybersecurity program.
  • Committing to invest hundreds of millions of dollars to enhance its current cybersecurity tools and capabilities.
  • Conducting nearly 900,000 training courses for employees and partners across the company to understand their critical role in keeping safe.

Impact of data breaches

Data breaches are one of the most reported cyberattacks against businesses—regardless of size and industry. Nowadays, many ransomware attacks are accompanied with data exfiltration and leaks if the victim refuses to pay the ransom.

For many, a breach is proof that companies are not doing what they’re supposed to with their data, and that is to primarily secure it at all cost. Others will argue that a breach is not a matter of “if it happens” but “when it happens.” This, however, doesn’t take away from the effort that must be put in to prevent breaches, nor does it lessen the impact it has on affected customers.

So, another good strategy is to have a clear vision of what data you really need from your customers and how long you want to keep hold of them. One of the reproaches against T-Mobile at the time was that a large part of the stolen data belonged to former and prospective customers.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.