The American state is suing T-Mobile over a data breach in 2021, in which data of millions of people was leaked
- A 2021 T-Mobile data breach exposed millions of customer data
- The state of Washington is now suing the telecom giant
- The lawsuit alleges that T-Mobile failed to protect and notify customers
The American state of Washington does take legal action against telecommunications giant T-Mobile over consumer protection deficiencies following a 2021 data breach that exposed up to 79 million consumers worldwide, including the Social Security numbers of nearly 184,000 customers in the state.
As part of the Washington lawsuit, the state alleges that T-Mobile failed to “adequately secure sensitive personal information of more than 2 million Washington residents.” This failure, the state alleges, left these consumers vulnerable to fraud and identity theft.
The lawsuit claims the breach was “entirely avoidable” and explains that T-Mobile has had years to fix key vulnerabilities in its cybersecurity systems but has failed to properly address them. Due to a lack of security monitoring, T-Mobile was unaware of the breach.
Misleading T-Mobile customers
The lawsuit alleges that T-Mobile deliberately downplayed the severity of the breach to affected consumers and omitted crucial information, which in turn compromised customers’ ability to “adequately assess their risk of identity theft or fraud.” .
The company sent text messages to affected customers, but did not include the legally required information. Customers whose card information or social security numbers were not compromised were notified, but those whose were were not provided with any information about the exposure.
According to the lawsuit, T-Mobile used “weak credentials” and an “easily guessed username and password,” and the exposed data appeared for sale on the dark web almost immediately after it was stolen.
T-Mobile recently agreed to pay a fine of more than $15 million to the FCC as part of a settlement following a series of high-profile data breaches between 2021 and 2023. The company was also ordered to make significant changes to its cybersecurity infrastructure. and adopt more robust identity and access management frameworks.