American telco set to pay US$350m for data leak
As part of the settlement of class action proceedings, American telecommunications provider T-Mobile has agreed to pay US$350 million for a 2021 hack that leaked the data of approximately 76.6 million US-based residents.
Editor’s note: This story first appeared on Lawyers Weekly’s sister brand, Cyber Security Connect.
T-Mobile announced the hack in August 2021, confirming its systems had been breached, after reports that over 100 million of its customers’ sensitive data, including Social Security numbers, names, addresses, and driver’s licence numbers, were up for sale.
The news follows the May case brought by ASIC against financial services firm RI Advice, in which that firm was ordered to pay $750,000 for breaching its licensing obligations with regard to managing cyber security risks — a case that has provided significant lessons for legal professionals.
Looking ahead, law firms and law departments will face “severe financial and reputational consequences” for not meaningfully managing cyber risk, with ASIC recently warning that failure to bolster cyber measures could mean firms run “foul of regulatory obligations”. Moreover, the recently expanded definition of critical infrastructure means that small firms could be more likely to face fines for failing to report cyber attacks.
In June, Lawyers Weekly spoke with legal professionals about what the sector wants and needs from Clare O’Neil MP, the new Minister for Cyber Security in the Albanese government.
According to the “Class Action Settlement Agreement and Release” document filed at the US District Court of Missouri, “this agreement fully and finally compromises and settles any and all claims that are, were, or could have been asserted in the litigation styled In re: T-Mobile Customer Data Security Breach Litigation”.
The proposed settlement agreement will still need to be approved by a judge. Once approved, T-Mobile will have 10 days to put money into the fund to cover the costs of notifying people who are eligible to claim.
The settlement covers “the approximately 76.6 million US residents identified by T-Mobile whose information was compromised in the data breach”, with a few caveats for some of the carrier’s employees and people close to the judges that presided over the case. However, the settlement agreement did not list any estimates on how much each claimant can expect to receive.
The lawsuit T-Mobile is aiming to settle accused the company of failing to protect its past, present, and prospective customers’ data, not properly notifying people who may have been impacted, and having “inadequate data security” overall.
According to T-Mobile, the settlement doesn’t constitute an admission of guilt and denies the allegations listed in the agreement. The company “has the right to terminate the agreement under certain conditions” laid out in the proposed agreement, it stated in a US Securities and Exchange Commission filing, but it anticipates having to pay out the claims.
Outside of this lawsuit, there have been other responses to T-Mobile’s data breach and others like it. The US Federal Communications Commission (FCC) proposed new rules surrounding such attacks, which aim to improve how a company communicates with people about their data.
This is the fifth T-Mobile hack in four years, with its chief executive commenting that the security breach is “humbling”.