Washington State has initiated legal proceedings against T-Mobile, alleging significant cybersecurity failures that led to a massive data breach in 2021. This breach compromised the personal information of over 79 million customers nationwide, including more than 2 million residents of Washington. The lawsuit, filed by Attorney General Bob Ferguson, claims that T-Mobile’s negligence left consumers vulnerable to identity theft and fraud.
Key allegations against T-Mobile
- Inadequate security measures: the lawsuit asserts that T-Mobile was aware of its cybersecurity vulnerabilities for years but failed to implement necessary protections. This negligence is described as a direct violation of Washington’s Consumer Protection Act.
- Misleading communication: Ferguson’s office contends that T-Mobile misled affected customers regarding the severity of the breach. Notifications sent to customers were allegedly vague, omitting critical details about the compromised data, including Social Security numbers and other sensitive information.
- Delayed discovery of the breach: the breach reportedly began in March 2021 but went unnoticed until August when customer data appeared for sale on the dark web. This indicates a severe lapse in T-Mobile’s security monitoring practices.
Specific data compromised
The breach exposed a wealth of personal information, including:
- Names
- Phone numbers
- Physical addresses
- Driver’s license information
- Social Security numbers of approximately 183,406 Washington residents.
Previous settlements and reforms
In September 2022, T-Mobile agreed to pay a $31.5 million fine as part of a settlement with the Federal Communications Commission (FCC) over similar cybersecurity issues. This settlement mandated that T-Mobile enhance its cybersecurity protocols, including adopting zero-trust network security measures and implementing multi-factor authentication.
T-Mobile’s response
In response to the lawsuit, T-Mobile expressed surprise at the legal action, stating that it had engaged in discussions with Ferguson’s office regarding the incident. The company emphasized its commitment to resolving these issues and improving its cybersecurity practices.