T-Mobile US has agreed to pay a C$350 million settlement fee for a cyberattack in 2021 in which information from an estimated 76.6 million people was compromised.

The preliminary settlement was filed in federal court in Kansas City, Missouri, and in addition to the C$350 million, T-Mobile will spend an additional C$150 million to improve data security.

The lawsuit accused T-Mobile of failing to comply with its obligation to protect the personal data of its customers and that the company had insufficient data security.

The settlement covers statewide litigation that includes at least 44 proposed class actions. Class members may receive cash payments of C$25 or C$100 in California, and some could receive up to C$25,000 to cover out-of-pocket losses. They will also receive two years of identity theft protection.

The settlement papers show that plaintiffs’ attorneys can demand fees of up to 30 per cent, or C$105 million, from the settlement.

The cyberattack that led to lawsuits took place in 2021 and 21-year-old American John Binns claimed responsibility for the attack. According to Binns, he infiltrated T-Mobile’s defenses after discovering an unprotected router on the internet.

After the attack, T-Mobile made the data breach public in August, claiming that more than 47 million current, former and future customers were affected. The number jumped to more than 50 million, and another report in November revealed another 26 million affected customers.

The sources for this piece include an article in Reuters.