Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

T-Mobile’s Quick Deal Over Breach Heads Off Data Flow Claims (1)

July 26, 2022, 9:20 AMUpdated: July 27, 2022, 1:54 PM

T-Mobile US Inc.‘s $500 million deal to settle consumer claims brought over a 2021 hack would resolve a case that’s unusually focused on the flow of breached data.

Data breach lawsuit plaintiffs often struggle to establish cause and effect between a cyberattack and consumer harm. Consumers claimed in a series of class actions brought against T-Mobile that stolen personal information was put up for sale on a dark web forum, allegedly allowing for instances of actual and attempted identity theft and fraud.

“So many people’s data has been pilfered in various breaches that it’s difficult, if not impossible, to trace the attempted misuse of data to a particular breach,” said David Balser, a partner at King & Spalding LLP who has defended companies including Capital One Financial Corp. and Equifax Inc. in data breach lawsuits brought against them.

Being able to follow exfiltrated data makes it easier to “connect the dots on causation,” Balser said, likely spurring T-Mobile to settle sooner. Some of the consumers in the T-Mobile case said they were notified by third-party monitoring companies that their personal information was found on the dark web.

Their combined complaint alleged that T-Mobile tried to purchase the stolen customer data in exchange for its deletion from the forum.

The proposed T-Mobile settlement’s relatively large sum and quick resolution also set it apart from similar pacts with consumers.

“As we continue to invest time, energy, and resources in addressing this challenge, we are pleased to have resolved this consumer class action filing,” T-Mobile said in a July 22 statement.

The deal comes less than a year after T-Mobile disclosed last August that a cyberattack compromised more than 76 million customer records. T-Mobile hadn’t yet made legal arguments in favor of dropping the data breach suits, which were combined into one case.

“A business decision was made to put this behind them as quickly as possible,” Balser said.

The agreement includes $350 million to pay claims from consumers, with another $150 million boost to security spending at T-Mobile, putting the pact among the biggest data breach settlements lately.

Equifax previously agreed to pay about $380 million to resolve allegations stemming from a 2017 data breach that affected approximately 147 million people. That compares to Capital One’s $190 million data breach deal over an incident that impacted about 100 million people in the US.

Measuring Damages

The cyberattack against T-Mobile systems exposed customer details such as names, Social Security numbers, and phone numbers.

The proposed class action settlement estimates damages to consumers based on how much time they spent responding to the incident. As an alternative, consumers can seek fixed payments of $25 per person, or $100 for individuals in California, where a first-in-the-nation state privacy law lays out pre-set damages for data breaches.

“The issue has always been proving damages,” said Robert Braun, a partner at Jeffer Mangels Butler & Mitchell LLP. “By having statutory damages, that really changes the landscape for these kinds of settlements.”

One of the lawyers representing consumers in the T-Mobile suit said they’re pleased with the settlement, which still needs approval from the US District Court for the Western District of Missouri.

“The settlement provides unprecedented relief to a class of this size and was achieved early in the litigation, meaning benefits will be in the hands of class members much sooner than can usually be accomplished in these cases,” Norm Siegel, a partner at Stueve Siegel Hanson LLP, said in an emailed reaction on behalf of the consumers’ lawyers.

The settlement terms don’t detail how T-Mobile will use its $150 million in security spending, though the company said it has added to cyber defenses in the past year. That includes creating a cyber unit that reports directly to T-Mobile’s chief executive officer and working with consulting firms on further reforms to its security safeguards.

Lawyers from Alston & Bird LLP, Perkins Coie LLP, Spencer Fane LLP, and Snell & Wilmer LLP represent T-Mobile in the case. The consumers are represented by law firms including Stueve Siegel Hanson LLP, Keller Rohrback LLP, and Hausfeld LLP.

The case is In re T-Mobile Customer Data Security Breach Litig., W.D. Mo., No. 4:21-md-3019, settlement proposed 7/22/22.

(Updated with the parties' legal representation. The story originally published July 26.)

To contact the reporter on this story: Andrea Vittorio in Washington at

To contact the editors responsible for this story: Keith Perine at; Jay-Anne B. Casuga at