If you were a T-Mobile customer in 2021 you could be owed a chunk of a multimillion-dollar settlement the mobile carrier has offered after a massive data breach exposed tens of millions of users’ personal information.
T-Mobilein response to a class action suit stemming from the August 2021 hack, as well as investing $150 million in improving data security. If given final approval, the deal will be the second-largest data breach settlement in US history, following Equifax’s $700 million payout in 2019.
The company hasn’t acknowledged any wrongdoing but, in a July 22 statement shared with CNET, said it was “pleased to have resolved this consumer class action filing.”
“Customers are first in everything we do and protecting their information is a top priority,” T-Mobile added. “Like every company, we are not immune to these criminal attacks.”
Here’s what you need to know about the T-Mobile settlement, including who’s eligible for a payout, how much they could get and when the money might arrive.
For more on class action suitsfind out if you qualify for a payout from Facebook’s $90 million settlement or the $45 million settlement.
What happened in the T-Mobile data breach case?
On Aug. 15, 2021, T-Mobile reported a cyberattack had led to the theft of millions of people’s personal information, including names, addresses, dates of birth, Social Security numbers, driver’s license details and other sensitive information, including unique codes that identified individual phones.
Exactly how many people were hacked and how they were impacted is unclear: According to court filings, approximately 76.6 million people had their data exposed, but T-Mobile has claimed only about 850,000 people’s names, addresses and PINs were “compromised.”
An individual selling the information on the dark web for 6 bitcoin (approximately $277,000 at the time) told Vice they had data relating to over 100 million people, all compiled from T-Mobile servers.
John Binns, a 21-year-old living in Turkey, eventually took responsibility for the cyberattack, thethat has hit T-Mobile since 2015. “I was panicking because I had access to something big,” Binns told The Wall Street Journal. “Their security is awful.”
The July 24 settlement, filed in the US District Court for the Western District of Missouri, merges at least 44 class action suits that claimed T-Mobile was lax with its cybersecurity and failed to protect personal information.
Cyberattacks aside, T-Mobile still expects to add 6 million to 6.3 million new customers this year — making it the industry leader in subscriber growth over rivals AT&T and Verizon.
How much money could I receive from the settlement?
Class members — in this case, people who were T-Mobile customers in August 2021 — could receive cash payments of $25, Reuters reported, or $100 for California residents.
It could also be substantially less, depending on how many people respond. In addition to paying out claims, the $350 million has to go toward settling legal fees and administrative costs. The plaintiffs’ lawyers may charge up to 30% of the settlement, according to court filings.
Separately, some people could receive as much as $25,000 to cover losses they suffered as a direct result of the breach.
T-Mobile is also offering two free years of McAfee’s ID Theft Protection Service to anyone who believes they may have been a victim.
How do I find out if I qualify for a payment from T-Mobile?
T-Mobile has not released the full details of its payment plan. Typically class members are notified they are eligible by mail. (Full disclosure: This reporter was a T-Mobile customer at that time.)
Read more: How to Protect Your Personal Data After a Security Breach
Customers are then given 90 days to submit claim forms or request to opt out of the settlement and reserve the right to pursue their own separate legal claims, according to court papers.
It could be several months before individuals find out if they will receive money from the settlement, TechCrunch reported.
When will payments go out?
Qualified class members likely won’t see any money until at least 2023.
T-Mobile has 30 days to provide the court with a list of class members, along with their phone numbers and mailing and email addresses, “to the extent available.”
Once eligible parties are notified, claims can be submitted. Legal fees are deducted and the remaining money is divvied up among class members who sent back claims.
In addition, the $350 million payout has only received preliminary approval. It still requires final sign-off from a judge, which T-Mobile said would come by December at the earliest.
What is T-Mobile doing to protect against future security breaches?
T-Mobile has “doubled-down” on fighting hackers, the company said in its July 22 statement, by boosting employee training, collaborating with industry experts like Mandiant and Accenture on new protocols and creating a cybersecurity office that reports directly to the company’s chief executive officer, Mike Sievert.
Security journalist Brian Krebs reported in April 2022 that T-Mobile was a victim of the hacking group Lapsus$.
The hackers accessed employee accounts and attempted to find T-Mobile accounts associated with the Department of Defense and FBI, TechCruch reported. They were thwarted by secondary authentication checks.