T-Mobile US Offers $350mn Settlement for Data Breach

In August 2021 hackers used a forum to claim they had raided servers belonging to T‑Mobile US and hence obtained personal data including social security numbers, phone numbers, IMEI numbers and addresses belonging to 100mn people. The mobile operator admitted a few days later that the breach was genuine, but their figure was that 40mn people were affected. The number of victims was subsequently revised upwards, with T‑Mobile’s investigation finally concluding data relating to 76.6mn people had been exfiltrated. Reuters reports that T‑Mobile filed a preliminary settlement offering on Friday, with the intention of addressing 44 class-action lawsuits that had been proposed in response to the breach. This settlement would provide:

  • compensation totaling USD350mn for victims of the breach, and
  • USD150mn additional expenditure on upgrading data security.

John Binns, a 21 year old American-born resident of Turkey told the Wall Street Journal that he had breached the data as revenge for his mistreatment at the hands of US security agencies. Binns filed a law suit against the FBI, CIA and US Department of Justice in 2020, in which he claimed he had been tortured and spied upon because he was suspected of committing cybercrimes and belonging to Islamic State. He alleged he was kidnapped and placed in a mental institution against his will. Binns told the WSJ that he wanted to damage US infrastructure in retribution for the crimes committed against him, so he searched for weaknesses surrounding T‑Mobile’s systems. He described T‑Mobile’s security as ‘awful’, and said he succeeded in identifying a flaw that allowed him access to over a hundred of the telco’s servers at a data center in Washington state. A week was then spent searching for personal data which ultimately led Binns to locate the millions of files he compromised.

Half a billion dollars is a big price to pay for leaving a router unprotected. Some will regret that the USD150mn that will now go towards strengthening cybersecurity was not spent earlier. Hackers have all sorts of motivations and methods, and they may strike from the far side of the planet. The US has lagged Europe in developing a legal framework suitable for protecting personal data, but the penalties for corporate failure are rising. Money spent today on eliminating weaknesses in data security is a good investment, even if it means lawyers never sit down and put a monetary value on the data stored by your company.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.