In late October 2022, we received inquiries from readers who asked if a text message from Kroll Settlement Administration LLC about a 2021 T-Mobile data breach was a scam or legit. We can confirm that a message directing recipients to the URL t-mobilesettlement.com was a legitimate notification.
The message appeared like this:
This text was sent out beginning around Oct. 20 and read as follows:
From Kroll Settlement Administration LLC. If your information was compromised in the 2021 T-MOBILE DATA BREACH, you are eligible for benefits from a Class Action Settlement, Case No. 4:21-md-03019 (BCW). A federal court has authorized this Notice. This is not a solicitation from a lawyer. Visit https://t-mobilesettlement.com to file a claim using your Unique Class Member ID: (ID here).
A Twitter user asked the official and verified T-Mobile account @TMobileHelp about the text message:
In response, T-Mobile answered, "Yes, this is the proposed, agreed upon settlement for the consumer class action filing related to the criminal attack of our systems we experienced in August 2021."
Readers may be wondering what this "criminal attack" was all about.
According to The New York Times, it was announced on July 22 that T-Mobile had reached a $500 million settlement for a data breach that hit the company in August 2021:
In a court filing late Friday, the mobile phone giant said it would pay $350 million to settle the customers’ claims and spend $150 million over the next few years bolstering its cybersecurity protection and technologies.
The breach affected 76.6 million people in the United States, according to the company. It exposed highly sensitive data, including customers’ first and last names, Social Security numbers and driver’s license information.
It was not clear how much individual T-Mobile customers would receive from the settlement, though the proposed agreement, filed in U.S. District Court for the Western District of Missouri, stipulates that individual payments cannot exceed $2,500.
As the Times said, the amount of money individuals would receive in the settlement was unclear. This appeared to depend upon the number of people who would file to receive a check. Just as an example, if 50 percent of the 76.6 million people who were affected received a payment from the $350 million fund, that would mean each person would only receive around $9.
The Times published that lawyers for the wireless carrier said the settlement "did not mean the company was acknowledging any wrongdoing," but rather that these sorts of data breaches had frequently occurred for a number of companies "in the tech, banking and retail industries in recent years."
Note: T-Mobile also released a statement following the July court filing, explaining that the company had, in its words, "doubled down" on its cybersecurity following the data breach.