T-Mobile is the second-largest wireless carrier in the U.S. and has an estimated 110 million subscribers. The company has been repeatedly targeted by external threat actors over the past decade. The first large breach occurred between September 1, 2013 and September 16, 2015 and affected some 18 million customers. Another breach occurred in 2018, involving more than 2 million customers. It experienced another attack in 2019 involving its prepaid customers followed by two attacks in 2020.

Description

On August 16, 2021, T-Mobile experienced yet another cyberattack that resulted in a data breach. An investigation conducted by the company determined that the data of more than 53 million people had been compromised including that of current, former, and prospective customers. Some of the data included first and last names, social security numbers (SSN), data of birth and driver’s license information. T-Mobile confirmed that no customer financial information such as credit card or debit card information was exposed in the incident. As a result of the attack, more than 40 data privacy litigation suits were filed across the country. These were then consolidated into a multidistrict litigation (MDL) class action suit filed before the U.S. District Court of the Western District of Missouri.

 

Basis of the Case

In the MDL suit, the plaintiffs alleged that they “entrusted their sensitive personally identifiable information (PII) to T-Mobile with the understanding that T-Mobile would keep their information secure and employ reasonable and adequate security measures to ensure that it would not be compromised.” The suit then asserted that had the plaintiffs known about T-Mobile’s lax security practices, they would not have done business with them.

Plaintiffs argued that T-Mobile did not take basic measures to properly safeguard their data. One specific example brought out was that the company did not utilize “rate limiting,’ an industry standard practice that limits the number of data requests a server can receive within a given timeframe. This practice helps prevent hackers from inundating servers with requests. The complaint also stated that T-Mobile did not properly disclose the fact that social security numbers (SSN) had been compromised in the attack, this resulted in the victims being unaware of this fact. The plaintiffs also asserted additional claims including:

  • Negligence
  • Breach of confidence
  • Breach of express contract and implied contract
  • Unjust enrichment
  • Violation of state consumer protection and privacy laws including CCPA

In September 2022, T-Mobile agreed to pay a record-setting settlement of $350 million. In addition to the monetary awards, T-Mobile will also offer free enrollment for identity protection services and credit monitoring over a two-year period. The company also agreed to commit a minimum of $150 million for data security and related technologies for years 2022 and 2023, above its previously budgeted baseline. T-Mobile will also create a Cybersecurity Transformation Office that will report directly to the CEO. This office will be responsible for ramping up employee cybersecurity training.

 

Call to Action

The escalating costs of class action settlements is one more reason why cybersecurity insurance is a necessity for any business today. On top of that, the number of cyberattacks continues to increase each year, leading the industry to believe that cybercrime costs will reach $10.5 trillion annually by 2025. Insurance companies have been losing on the cyber policies they issued prior to the pandemic, forcing renewal rates to rise dramatically. To curb these losses, insurance companies have become a lot more selective on who they choose to cover, often cherry-picking customers according to their perceived risk factor. Those companies deemed a high risk are simply denied coverage. Many insurance companies require a list of prescribed security controls such as multi-factor authentication (MFA). They also want some proof that a potential client is implementing reasonable security practices. That is where a Duty of Care Risk Assessment (DoCRA) can strengthen your security program. Establishing reasonable security for your organization helps in the cybersecurity underwriting process showcasing how you manage your risk appropriately. DoCRA can also demonstrate duty of care in litigation. Understand how reasonable security requirements apply to your specific organization with a DoCRA risk assessment.

 

cybersecurity risk assessment