When T-Mobile Compromised the sensitive personal information of more than 76 million current, former and prospective customers in 2021Plaintiffs involved in a class action lawsuit complained that the company continued to profit from their data while trying to cover up “one of the largest and most consequential data breaches in US history.”
Now, T-Mobile has not admitted guilt, but has agreed to pay a $500 million settlement (pending a judge’s approval), of which $350 million will go to the settlement fund and “at least $150 million” will go toward improving the security of your data. measures until 2023.
T-Mobile declined to tell Ars about specific upcoming plans to improve data security, instead link to a statement describing the steps it has taken to “double down” on security in the past year. That includes creating an Office of Cyber Security Transformation reporting directly to T-Mobile CEO Mike Sievert; collaborate with cybersecurity companies to “further transform our cybersecurity program”; increase employee cybersecurity training; and investing “hundreds of millions of dollars to improve our current cybersecurity tools and capabilities.”
All T-Mobile customer payments under the proposed settlement will be disbursed through an independent third-party settlement administrator. The settlement says that T-Mobile will have 10 days to send funds to the settlement administrator to start the notification process for everyone deemed eligible to file claims.
At this time, no one knows exactly how large the individual payments will be, because that figure will depend on the total number of complaints filed if a settlement is reached. T-Mobile says everyone whose data has been compromised has already been notified, while attorneys representing people suing T-Mobile has said It is still possible that more victims will be identified. At least a law firm created an email address to answer questions from anyone concerned about missing out on the proposed settlement. In the proposed settlement agreement, T-Mobile also said that a toll-free number and website would be established to answer all remaining questions.
In its statement, T-Mobile says it is “pleased to have resolved this consumer class action lawsuit filing.”
However, for T-Mobile customers injured by the data breach, the pain is not expected to really end. In their complaint, customers say they will continue to pay for T-Mobile’s weak security options. They believe their data is compromised forever and say they will have to pay for continued identity theft protection well into the future, with the “secure, imminent, and ongoing threat of fraud and identity theft” always lurking.
T-Mobile data security mistakes
A lot went wrong for the T-Mobile data breach to happen, but the plaintiffs say the company violated the terms of its own privacy policy by not properly disclosing information about the breach or creating adequate security measures to protect reasonably the data first.
Perhaps the most direct example of T-Mobile’s failure to properly disclose information about the breach was in its apparent cover-up of hacked accounts where Social Security numbers were leaked. In the complaint, customers shared text and email notifications sent by T-Mobile that generalized the data leak and failed to notice that a customer’s Social Security number had been leaked when it was; But when it didn’t, T-Mobile sent separate notices specifically assuring customers that Social Security numbers weren’t leaked. The inconsistency suggests that T-Mobile intentionally hid the details of the data breach from those most vulnerable to identity theft.
Perhaps most egregious among the allegations that T-Mobile failed to take basic steps to adequately safeguard data was a complaint that the company failed to rely on a standard industry practice for data protection called “speed limiting.” “.
Rate limiting is a way to stabilize servers so they don’t receive too many requests at once. By limiting the number of requests a server can receive during a given period of time, you help prevent resource shortages for regular users and prevent hackers from flooding servers with requests. Anyone who has ever been locked out by trying too many failed logins in a row has experienced the effectiveness of this defense.