T-Mobile Strikes $500 Million Settlement For Continued Sloppy Data Practices
T-Mobile hasn't been what you'd call competent when it comes to protecting its customers' data. The company has been hacked several different times over the last few years, with hackers going so far as to ridicule the company's lousy security practices.
This week the company finally paid a penalty for its continued lax security and privacy practices in the form of a new $500 million class action settlement. As part of the settlement (in which T-Mobile admits no wrongdoing), T-Mobile has to pay out $350 million to customers and lawyers, with the remaining $150 million going toward shoring up its privacy and security practices.
The company links to a statement claiming that protecting consumer data is a top priority," then outlining improvement steps the company would have taken already if that claim had actually been true. Other promises are just kind of vague:
engaging in long-term collaborations with industry experts Mandiant, Accenture, and KPMG to design strategies and execute plans to further transform our cybersecurity program
The press tried to get T-Mobile to clarify on some of this and didn't receive an answer. The size of the payments consumers will get won't be determined until we see how many consumers actually apply, though the class action lawyers themselves will be handsomely compensated to be sure.
For reference, this is the hack after which the hacker involved publicly ridiculed T-Mobile's security as awful," highlighting how the company hadn't implemented basic things like server rate limiting to protect consumer data. T-Mobile has also been caught up in numerous location data and SIM hijacking scandals, several of which resulted in lost cryptocurrency fortunes and even stalking incidents.
Rampant overcollection of consumer data, selling it to any nitwit with a nickel, failing to secure that data, and lying about whether this data was sold is a longstanding tradition in the telecom, adtech, and tech sectors. As is pretending the over-collection of data is no big deal because said data has been anonymized." As is clearly communicating with users when their data is compromised.
All stuff that could have been at least moderated somewhat if the U.S. had shaken off corruption to pass a baseline privacy law for the Internet era sometime in the last two decades. But, well, there was money to be made.