40.5 F
Seattle
Tuesday, January 14, 2025

Attorney General Files Lawsuit Against T-Mobile For Data Security Failures

iStock

This week Attorney General Bob Ferguson filed a consumer protection lawsuit against T-Mobile for failing to adequately secure sensitive personal information of more than 2 million Washingtonians, causing a massive data breach that exposed the personal information of those consumers and made them vulnerable to fraud and identity theft.

Filed in King County Superior Court, the lawsuit asserts that T-Mobile knew for years about certain cybersecurity vulnerabilities and did not do enough to address them, while simultaneously misrepresenting to consumers that the company prioritizes protecting the personal data it collects. Ferguson’s lawsuit also alleges T-Mobile failed to properly notify affected Washingtonians of the data breach, downplaying its severity and sending notices to affected consumers that did not disclose all the information that had been compromised.

Ferguson’s lawsuit asserts that these failures violated Washington’s Consumer Protection Act, and alleges the 2021 data breach was the direct result of T-Mobile’s lack of accountability. “This significant data breach was entirely avoidable,” Ferguson said. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”

In August 2021, 2,025,634 Washingtonians, out of 70 million consumers nationwide, had personal information exposed due to T-Mobile’s discovery of a hacker that gained access to the company’s internal network. Of those Washingtonians, 183,406 Washington consumers had their Social Security numbers compromised. Other data exposed included phone numbers, names, physical addresses, and driver’s license information, among other personal data.

- Advertisement -

The data breach began in March 2021 and continued until Aug. 12, 2021. However, due to a lack of adequate security monitoring, according to the lawsuit, T-Mobile was unaware of the breach until an anonymous outside source notified the company that its customers’ data was posted for sale on the dark web.

When T-Mobile learned of the data breach, the notification sent to affected consumers was inadequate in numerous ways. Current customers received text messages that were brief, omitted critical and legally required information, and in some cases, misled customers regarding the severity of the breach. In addition, those whose Social Security numbers were exposed did not receive any information regarding that exposure. Also, customers who did not have their Social Security numbers exposed were notified of that information in the texts they received from the company.

The downplayed T-Mobile notifications made affected consumers unable to adequately assess their risk of identity theft or fraud.

The 2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile’s internal databases. But, for many years prior to August 2021, T-Mobile did not meet industry standards for cybersecurity and knew about these vulnerabilities, including insufficient processes for identifying and addressing security threats, and a systemic lack of oversight. In some cases, T-Mobile used obvious passwords to protect accounts that had access to customers’ sensitive personal information.

- Advertisement -

Prior to 2021, T-Mobile had already been the target of numerous cyberattacks. In fact, filings with the federal Securities and Exchange Commission from 2020, a year before the data breach at the center of Ferguson’s lawsuit, show that T-Mobile knew it would continue to be a target.

Despite knowing about and failing to address these cybersecurity issues for years, T-Mobile continued misrepresenting a commitment to cybersecurity for its customers, publicly touting on its website: “We’ve got your back. We’re always working to protect you and your family and keep your data secure.”

Ferguson’s lawsuit seeks civil penalties and restitution for the Washingtonians harmed, injunctive relief to require improvements to T-Mobile’s cybersecurity policies and procedures, and as well as increased transparency in communications about cybersecurity to its customers.

Assistant Attorneys General Mina Shahin, Kathleen Box, Bret Finkelstein, Gardner Reed, Paralegal Matt Hehemann, Legal Assistant Luis Oida and Investigator Steuart Markley are handling the case for Washington.

“We have had multiple conversations about this incident from 2021 with the Washington AG’s office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit came as a surprise,” said T-Mobile. “While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers.”

For more information about data breaches, data breach reports and protecting your private data, visit the Attorney General’s Data Breach Resource Center: atg.wa.gov/data-breach-resource-center.

Must Read

L.A. Firestorms Destroy A Historic Black Community

The Eaton wildfire in Los Angeles has resulted in at least 10 fatalities, the destruction of thousands of homes, and the displacement of 180,000 residents, with a significant impact on the Black community in Altadena, where many Black homeowners had established generational wealth.