Washington State is suing T-Mobile over a 2021 security breach which exposed the personal data of some 79 million people, including 2M Washington residents. Data exposed included social security numbers, phone numbers, physical addresses, unique IMEI numbers, and driver’s license information.
The carrier is accused of failing to follow industry-standard cybersecurity processes, which allowed the breach to go unnoticed for four months …
T-Mobile data breach
The very phrase begs the question “which one?” and in this case it’s the attack in which a hacker obtained the personal data of some 79 million Americans.
The breach occurred in April 2021, but T-Mobile didn’t even realize it had happened until the hacker started advertising the data for sale in August that year.
The carrier initially said it didn’t know whether customer data was obtained, then said it was – and not just its own customers. At that time it put the number of people affected at 47.8M, but later admitted it was 79M.
A series of further breaches saw the Federal Communications Commission (FCC) fine the carrier $15.75M, and ordered it to spend the same again on boosting its security measures.
Washington State suing T-Mobile
Attorney General Bob Ferguson announced this week that he has filed a lawsuit against the company, arguing that the breach was “entirely avoidable.”
The lawsuit, filed in King County Superior Court, asserts that T-Mobile knew for years about certain cybersecurity vulnerabilities and did not do enough to address them. At the same time, T-Mobile misrepresented to consumers that the company prioritizes protecting the personal data it collects.
Ferguson’s lawsuit also alleges T-Mobile failed to properly notify affected Washingtonians of the data breach, downplaying its severity and sending notices to affected consumers that did not disclose all the information that had been compromised.
In short, the lawsuit asserts that the massive data breach was a direct result of T-Mobile’s lack of accountability and failure to adhere to industry cybersecurity standards.
“This significant data breach was entirely avoidable,” Ferguson said. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”
The lawsuit says T-Mobile’s security failures violated consumer protection law.
For years prior to August 2021, T-Mobile did not meet industry standards for cybersecurity and knew about these vulnerabilities. These included insufficient processes for identifying and addressing security threats and a systemic lack of oversight. In some cases, T-Mobile used obvious passwords to protect accounts that had access to customers’ sensitive personal information. The 2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile’s internal databases.
Prior to 2021, T-Mobile had already been the target of numerous cyberattacks. In fact, filings with the federal Securities and Exchange Commission from 2020 — a year before the data breach at the center of Ferguson’s lawsuit — show that T-Mobile knew it would continue to be a target.
Despite knowing about and failing to address these cybersecurity issues for years, T-Mobile continued misrepresenting to its customers a commitment to cybersecurity, publicly touting on its website: “We’ve got your back. We’re always working to protect you and your family and keep your data secure.”
Ferguson’s lawsuit asserts that these failures violated Washington’s Consumer Protection Act. It alleges the 2021 data breach was the direct result of T-Mobile’s lack of accountability.
Photo by Mateus Maia on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments