(Reuters) — T-Mobile US Inc. agreed on Friday to pay $350 million to settle disputes surrounding a cyberattack last year that compromised information belonging to an estimated 76.6 million people.
It also agreed to spend an additional $150 million to upgrade data security.
The preliminary settlement was filed in federal court in Kansas City, Missouri.
That requires a judge’s approval, which the second-largest U.S. wireless carrier said could come in December.
T-Mobile denied wrongdoing, including allegations that it breached its obligations to protect customers’ personal information and had inadequate data security.
The Bellevue, Washington-based company disclosed the data breach last August, saying at the time it affected more than 47 million current, former and potential customers.
The number soon grew to over 50 million, and T-Mobile said in November that its investigation revealed an additional 26 million people whose personal information was accessed.
T-Mobile has said the information included names, addresses, dates of birth, driver̵7;s license data and social security numbers.
Friday’s settlement covered nationwide litigation that combined at least 44 proposed class actions.
Class members may receive cash payments of $25 or $100 in California, and some may receive up to $25,000 to cover losses, settlement papers show. They will also receive two years of identity theft protection.
John Binns, a 21-year-old American who had moved to Turkey a few years earlier, claimed responsibility for the hack, saying he pierced T-Mobile’s defenses after finding an unprotected router on the Internet, The Wall Street Journal said last August.
The plaintiffs’ attorneys can seek fees of up to 30%, or $105 million, of the settlement, the settlement documents show.