Telecom giant sued over new data breach

Telecommunications giant T-Mobile is facing another legal challenge in the wake of a 2021 data breach, as Washington Attorney General Bob Ferguson filed a consumer protection lawsuit against the company. This recent lawsuit alleges that T-Mobile violated Washington’s Consumer Protection Act by failing to adequately protect the personal data of over 2 million Washington residents.

This legal action comes on the heels of T-Mobile settling a Federal Communications Commission (FCC) lawsuit with a payment of USD 31.5 million earlier this year. The FCC lawsuit specifically addressed data breaches that exposed consumer data between 2021 and 2023.

The lawsuit filed in King County Superior Court claims that T-Mobile was aware of cybersecurity weaknesses for years before the August 2021 breach that left personal information, including social security numbers, of nearly 80 million users exposed. This breach affected 2.5% of Washington residents. In 2022, T-Mobile settled a lawsuit related to this breach with a payment of USD 350 million.

The complaint alleges that T-Mobile failed to follow industry standards and its internal cybersecurity policies, leading to the vulnerability exploited in the August 2021 breach. Despite claims on their website that they had consumers’ backs when it came to data security, the complaint asserts that T-Mobile neglected to implement adequate cybersecurity measures to address known vulnerabilities.

T-Mobile’s practices, including a lack of risk management structure and centralised ownership for compliance, as well as poor password management that did not meet FTC standards, allegedly contributed to the avoidable August breach. T-Mobile was only made aware of the breach when a third party informed them that consumer data was for sale on the dark web.

The lawsuit also criticizes T-Mobile for providing inadequate notifications to affected customers following the breach. Consumers received brief and misleading messages that did not contain crucial information required by law. This failure to adequately notify customers limited their ability to protect their personal information effectively.

Attorney General Bob Ferguson emphasized that the data breach was entirely avoidable and criticized T-Mobile for failing to address key vulnerabilities in its cybersecurity systems. The lawsuit seeks civil penalties, restitution for affected Washington residents, and injunctive relief to improve T-Mobile’s cybersecurity practices and transparency in communication.