Washington Attorney General Bob Ferguson filed a lawsuit against T-Mobile, alleging severe failures in protecting consumer data that resulted in a 2021 breach impacting over 79 million individuals nationwide, including more than 2 million Washingtonians. The breach exposed sensitive data such as Social Security numbers, driver’s license details, and phone numbers, putting millions at risk of fraud and identity theft.
The lawsuit accuses T-Mobile of ignoring known cybersecurity vulnerabilities for years and misleading customers with claims of robust data protection. According to the Attorney General’s office, T-Mobile failed to adhere to industry standards, maintain adequate security monitoring, and address internal warnings of systemic weaknesses. The breach was reportedly enabled by the use of guessable credentials and unprotected access points.
Despite the massive breach occurring between March and August 2021, T-Mobile was only alerted after customer data surfaced for sale on the dark web. The lawsuit also claims the company’s breach notifications were inadequate and misleading. Critical details, such as the exposure of Social Security numbers, were withheld from some affected customers, leaving them ill-prepared to address potential risks.
Context and breach details
T-Mobile, headquartered in Bellevue, Washington, is the second-largest wireless carrier in the U.S. The 2021 breach is one in a series of cybersecurity incidents faced by the company, including previous breaches in 2018, 2019, and 2020. The August 2021 incident, however, was unprecedented in scale, affecting both current and former customers as well as prospective clients whose data had been retained in T-Mobile’s databases.
The breach exposed names, physical addresses, dates of birth, and sensitive identifiers like International Mobile Equipment Identity (IMEI) numbers. For Washington residents, over 183,000 Social Security numbers were compromised. Alarmingly, T-Mobile reportedly did not discover the breach through its own monitoring but was notified by an external cybersecurity firm.
Legal action underway
Attorney General Ferguson’s lawsuit seeks civil penalties, restitution for affected residents, and court-mandated reforms to T-Mobile’s cybersecurity practices. It alleges violations of Washington’s Consumer Protection Act and the state’s data breach notification statute, emphasizing T-Mobile’s failure to notify consumers effectively and its misrepresentation of its cybersecurity measures.
The complaint highlights T-Mobile’s inadequate security practices, such as weak credential management, insufficient monitoring, and a lack of centralized risk management oversight. These shortcomings, Ferguson contends, directly facilitated the breach and exacerbated its impact.
This lawsuit underscores the growing demand for accountability in data protection practices. Ferguson’s office advises affected consumers to monitor financial accounts, consider credit freezes, and remain vigilant against phishing scams and identity theft. For broader guidance on securing personal data and responding to breaches, Washington residents are encouraged to visit the Attorney General’s Data Breach Resource Center.
Telegram Shared Data on 2,253 Users with U.S. Authorities in 2024
Leave a Reply