T-Mobile US Inc (TMUS.O) agreed on Friday to pay $350 million and spend an additional $150 million to upgrade data security to settle litigation over a cyberattack last year that compromised information belonging to an estimated 76.6 million people.
The preliminary settlement was filed with the federal court in Kansas City, Missouri.
It requires a judge’s approval, which the second-largest U.S. wireless carrier said could come by December.
T-Mobile denied wrongdoing, specifically, including accusations that it breached its duties to protect customers’ personal information and had inadequate data security.
The Bellevue, Washington-based company expects an approximately $400 million pre-tax charge in this year’s second quarter for the settlement. It said it contemplated the charge and $150 million of spending in prior financial guidance.
T-Mobile disclosed the data breach last August, saying at the time it affected more than 47 million current, former and prospective customers.
The number soon grew past 50 million, and T-Mobile said in November its investigation uncovered an additional 26 million people whose personal information was accessed.
T-Mobile has said the information included names, addresses, birth dates, driver’s license data and Social Security numbers.
Friday’s settlement covered nationwide litigation combining at least 44 proposed class-action lawsuits.
Class members may receive cash payments of $25, or $100 in California, and some could receive up to $25,000 to cover out-of-pocket losses, settlement papers show. They will also receive two years of identity theft protection.
John Binns, a 21-year-old American who had moved to Turkey a few years earlier, took responsibility for the hacking, saying he pierced T-Mobile defenses after finding an unprotected router on the internet, The Wall Street Journal said last August.
The plaintiffs’ lawyers may seek fees of up to 30%, or $105 million, from the settlement, the settlement papers show.