On July 22, 2022, T-Mobile agreed to settle the class action suit brought on behalf of 76 million customers whose PII was stolen in a data breach in 2021. Under the terms of the settlement, the cellphone carrier would pay $350 million on claims by class members and their attorneys. The plaintiffs could be paid up to $25,000 for out-of-pocket losses and $25 an hour for their time dealing with those losses, and receive two years of identity theft protection services.
The company also will spend at least $150 million on upgrading data security. T-Mobile made no admission of wrongdoing in the proposed settlement document though the cell phone carrier’s CEO apologized to customers for the security failure in 2021. A 21-year-old hacker took responsibility in an interview with the Wall Street Journal, saying that he broke into a T-Mobile data center through an unprotected router, then used stored credentials to access more than 100 servers.
Information Industry (Including Telecom) Data Breach Count
In 2021, the information industry (which includes the mobile carriers) was hit with 2,561 cyber incidents, 378 with confirmed data disclosures, according to the Verizon DBIR. That placed the industry at #4 for total incidents and #5 for data breaches of 21 industry categories surveyed in the DBIR.
Most Probable Risks by Incident Frequency and Loss for the Information Industry
The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue, number of employees and number of database records.
Based on RiskLens research, T-Mobile, as an information industry member, had a 38% greater probability than other industries to experience costs from lawsuits and other secondary response costs (SRC). Furthermore, with the size of the breach and T-Mobile’s revenue level, the probability of incurring SRC and the amount of payout were most likely to increase significantly from the norm. One reason: a telecommunications company holding and moving large amounts of data on networks is likely to run a higher risk of data breach or other incidents.
Shown below is the likelihood that the common types of cyber loss events (from the Verizon DBIR) will occur on an annual basis for an enterprise in the information industry and fitting T-Mobile’s profile. We pulled these numbers from the RiskLens My Cyber Risk Benchmark tool (note that the estimate for losses from “System Intrusion” was confirmed by the $500 million number announced in the court settlement document):
- Basic Web Application Attack: 12.4% probability of an event costing $594.8 million
- Insider Error: 10% probability of an event costing $64.1 million
- Insider Misuse: 7.1% probability of an event costing $474.7 million
- System Intrusion: 4.4% probability of an event costing $528.5 million
- Social Engineering: 4.3% probability of an event costing $998.5 million
- Denial of Service: 3.8% probability of an event costing $317.8 million
- Ransomware: 3.6% probability of an event costing $159.4 million
Cybersecurity Controls Posture Makes a Difference
As an example, an information industry organization is looking at these chances of a System Intrusion loss event in a year, depending on how well it implemented and maintained controls, based on ratings from SecurityScorecard.
- A rating = 2.3%
- C rating = 4.4% (the rating given T-Mobile by SecurityScorecard)
- F rating = 6.7%
The stats in this blog post were pulled from the RiskLens My Cyber Risk Benchmark tool, powered by RiskLens data science (with security ratings from Security Scorecard). See how your industry and your organization stack up – get a free trial of My Cyber Risk Benchmark.