Washington State Attorney General Bob Ferguson has filed a consumer protection lawsuit against T-Mobile, accusing the telecommunications giant of failing to adequately secure sensitive personal information, which led to a massive data breach affecting more than 2 million residents of Washington.
The lawsuit, filed today in King County Superior Court, claims T-Mobile’s negligence made consumers vulnerable to fraud and identity theft.
The breach, which T-Mobile discovered in August 2021, exposed the personal data of over 79 million individuals nationwide, including 2,025,634 Washingtonians.
Among these, 183,406 Washington residents had their Social Security numbers compromised. Other sensitive information, such as phone numbers, names, addresses, and driver’s license details, was also exposed.
A Long-Standing Failure to Address Cybersecurity Risks
Ferguson’s lawsuit alleges that T-Mobile was aware of vulnerabilities in its cybersecurity systems for years but failed to take action despite repeated warnings.
The suit contends the company did not adhere to industry standards or employ proper mechanisms for identifying and mitigating security threats.
According to the lawsuit, some accounts protecting sensitive customer data were secured with “obvious” passwords, allowing hackers to gain access.
The breach occurred between March and August 2021, but T-Mobile only became aware of it when a third party alerted the company that customer information was being sold on the dark web.
“This significant data breach was entirely avoidable,” Ferguson stated. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”
Adding to the lawsuit’s claims is the assertion that T-Mobile misrepresented its commitment to consumer data protection. On its website, the company publicly assured customers: “We’ve got your back. We’re always working to protect you and your family and keep your data secure.”
A Failure in Notification and Transparency
The lawsuit also accuses T-Mobile of downplaying the breach’s severity and failing to notify affected customers adequately. Notifications sent to consumers via text omitted critical information, including the scope of the breach and the type of data compromised.
Some customers were misinformed about their risk level, while others were not notified at all about the exposure of sensitive data, such as Social Security numbers.
For example, Washingtonians whose Social Security numbers were compromised did not receive any details regarding this exposure.
However, customers whose Social Security numbers were not compromised were explicitly informed of this fact, creating inconsistency and confusion.
Ferguson argues this lack of transparency hindered Washington residents from fully understanding their risk and taking steps to protect themselves from potential identity theft and fraud.
The 2021 breach was not an isolated incident. T-Mobile had been targeted by several prior cyberattacks, and corporate filings with the U.S. Securities and Exchange Commission in 2020 indicated the company anticipated being a target in the future.
Despite these warnings, the lawsuit asserts the company failed to implement sufficient safeguards to protect sensitive data.
Legal Action Seeking Penalties and Improved Cybersecurity Practices
The lawsuit filed by Attorney General Ferguson alleges that T-Mobile’s actions constitute violations of Washington’s Consumer Protection Act.
Specifically, it claims the data breach was a direct result of T-Mobile’s lack of accountability, failure to adhere to cybersecurity best practices, and misrepresentation of its data protection measures.
Ferguson is seeking civil penalties and restitution for affected Washingtonians, as well as injunctive relief to compel T-Mobile to strengthen its cybersecurity policies.
The lawsuit demands increased transparency from T-Mobile regarding its cybersecurity practices and the risks it poses to consumers.
“This lawsuit is about holding T-Mobile accountable and ensuring they address their systemic failures to protect personal information,” Ferguson said.
The case is being handled by a dedicated legal team that includes Assistant Attorneys General Mina Shahin, Kathleen Box, Bret Finkelstein, and Gardner Reed, with support from Paralegal Matt Hehemann, Legal Assistant Luis Oida, and Investigator Steuart Markley.
Attorney General Ferguson’s office continues to advocate for consumer protection, ensuring corporations are held accountable for safeguarding sensitive personal information. The outcome of this lawsuit could mark a significant step toward improved data security standards nationwide.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free