US: Washington state files suit against T-Mobile after data breach
The attorney general of the US state of Washington filed a consumer protection lawsuit against T-Mobile US on Monday. The filing accuses the US subsidiary of Deutsche Telekom of failing to sufficiently protect customer data against a cyberattack in 2021. The personal data of more than 79 million people was stolen in the attack.
Of those 79 million customers, more than two million are residents of Washington state, Attorney General Bob Ferguson announced in a press release. In the lawsuit Ferguson accuses the company of violating the state’s Consumer Protection Act. The attorney general is demanding compensation for those impacted by the data breach and calls on the court to require T-Mobile to improve its cybersecurity. With more than 120 million customers, the company is one of the largest mobile service providers in the United States.
The hackers behind the 2021 cyberattack were able to steal customers’ names, addresses, and dates of birth, among other information. Telephone numbers, driver’s license information, and Social Security numbers were also stolen. The hackers reportedly put some of this data up for sale.
Social Security numbers are especially sensitive because in the US they are used not only for tax purposes, but also as a form of identification. In the wrong hands, the numbers can be used to commit identity theft – a criminal with access to a person’s Social Security number could for example apply for a credit card in that person’s name.
Avoidable data theft
Washington’s attorney general accuses T-Mobile US of having neglected the security of its IT systems for years. The company knew of its vulnerabilities but failed to remedy them, the lawsuit charges. In a 2020 filing with the Securities and Exchange Commission, for example – at a time when the company had already experienced numerous instances of data theft in preceding years – T-Mobile stated that it expected “to continue to be the target of cyber-attacks, data breaches, or security incidents.”
Nevertheless, in practice, the provider failed to adhere to its own cybersecurity policies. For instance, the company used “obvious passwords” for some of its systems – in 2021, attackers were able to simply guess some of these passwords in order to gain access to customer data. There was also no limit on the number of login attempts allowed. The data breach “was a direct result of T-Mobile’s lack of accountability,” the lawsuit states.
What’s more, because T-Mobile did not adequately monitor its own systems, hackers had continued access between March and August 2021 without the company’s knowledge. The company did not learn of the breach until it received an outside tip that its customers’ data was being sold online.
Attorney General Ferguson said in the press release: “This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems – and it failed.”
The lawsuit characterizes the company’s response to the breach as inadequate as well. Customers were notified of the incident by text – but the notifications omitted legally required information. In some cases customers who were impacted by the breach were misled about its extent.
Customers whose Social Security numbers were stolen were not informed of this key detail, while customers who did receive such notifications had not in fact had their Social Security numbers stolen. Because they were not adequately informed, customers were not sufficiently able to assess the risk of potential identity theft.
A spokesperson for T-Mobile told the news site TechCrunch that the lawsuit was a “surprise.” The company is “open to further dialogue and welcome[s] the opportunity to resolve this issue.”
Repeated instances of customer data theft
Hackers have been able to steal data from the US mobile service provider in several different instances over the past few years. In August 2018, for example, information like the names, phone numbers, and email addresses of around two million customers were stolen.
Hackers were able to grab names and phone numbers again in November 2019. The company stated at the time that a “small number” of its prepaid customers were affected.
In 2022 there was yet another data breach. And again in January 2023 hackers were able to grab customers’ data – in this case roughly 37 million people were affected.
The FCC, a US regulator, investigated the data leaks in the years 2021, 2022, and 2023 and in September 2024 announced that T-Mobile had agreed to pay a penalty of $15.75 million. The company also committed to invest the same sum in the security of its IT systems. (js)