Washington State has filed a lawsuit against T-Mobile regarding a cybersecurity breach from 2021 that compromised the personal information of approximately 79 million individuals, including 2 million residents of Washington. The leaked data encompassed social security numbers, phone numbers, mailing addresses, unique IMEI identifiers, and driver’s license details.
The telecommunications company is accused of neglecting to implement industry-standard cybersecurity measures, resulting in the breach remaining undetected for four months.
T-Mobile Data Breach
This raises the question, “Which breach?” In this instance, it refers to the incident wherein a hacker accessed the personal details of around 79 million Americans.
The incident took place in April 2021, but T-Mobile only became aware of it when the hacker began offering the data for sale in August of the same year.
Initially, the company claimed it was uncertain whether its customers’ information had been compromised, later confirming that it had — not only affecting its customers. They initially estimated 47.8 million individuals were impacted, but later revised that figure to 79 million.
A succession of subsequent breaches led the Federal Communications Commission (FCC) to impose a $15.75 million fine on T-Mobile, mandating the company to invest an equivalent amount in enhancing its security protocols.
Washington State’s Legal Action Against T-Mobile
Attorney General Bob Ferguson announced this week that he has initiated a lawsuit against T-Mobile, asserting that the breach could have been “completely avoided.”
The lawsuit, submitted in King County Superior Court, claims that T-Mobile was aware of certain cybersecurity weaknesses for years yet failed to take adequate measures to mitigate them. Simultaneously, T-Mobile misled consumers by declaring that protecting the personal data it collects was a priority.
Ferguson’s suit also argues that T-Mobile did not adequately inform affected Washington residents about the data breach, downplaying its seriousness and sending notifications that failed to disclose all compromised data.
Ultimately, the suit contends that the significant data breach was a direct result of T-Mobile’s lack of accountability and its disregard for established cybersecurity practices.
“This major data breach was entirely preventable,” Ferguson stated. “T-Mobile had ample time to rectify key vulnerabilities in its cybersecurity infrastructure and did not do so.”
The lawsuit claims T-Mobile’s security lapses breached consumer protection legislation.
For several years leading up to August 2021, T-Mobile did not comply with industry standards for cybersecurity and acknowledged these vulnerabilities. These included inadequate processes for identifying and mitigating security threats, as well as a widespread lack of oversight. In some instances, T-Mobile relied on easily guessable passwords to protect accounts that had access to sensitive customer information. The breach in 2021 was partially facilitated by the hacker guessing these simple credentials to infiltrate T-Mobile’s internal databases.
Prior to 2021, T-Mobile had already faced numerous cyberattacks. In fact, filings made to the federal Securities and Exchange Commission in 2020, a year before the breach central to Ferguson’s lawsuit, indicated that T-Mobile anticipated it would continue to be a target.
Despite being aware of these cybersecurity threats for years and neglecting to address them, T-Mobile continued to misrepresent to its customers its commitment to cybersecurity, publicly proclaiming on its website: “We’ve got your back. We’re always working to protect you and your family and keep your data secure.”
Ferguson’s lawsuit argues that these failures violated the Washington Consumer Protection Act, asserting that the 2021 data breach was a direct consequence of T-Mobile’s lack of accountability.
Photo by Mateus Maia on Unsplash
FTC: We use income-earning auto affiliate links. More.
