"T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee's phone number to the threat actor's phone at their request"
No. Just no.
I don't care what the sob story was, the fact that T-Mobile accepted to do so means that it is T-Mobile that is guilty of handing out that data to the wrong person.
I just can't imagine why, in 2023, a communications company would still be able to do so. This is not a new kind of attack. There should be procedures in place preventing this from happening. And, if an employee ignores those procedures, he should be fired, because this is exactly what the procedures are meant to prevent.
T-Mobile, you are responsible for the proper management of your customers' data, and that includes their SIM data.
You utterly failed to uphold your responsibility.
If I were a T-Mobile customer, I'd be reviewing my options for leaving.