Washington State suing T-Mobile over data breach impacting 79M people

Washington state sues T-Mobile for 2021 safety violation that revealed personal data about 79 million people, including 2 million in Washington. The data discovered included social security numbers, phone numbers, physical addresses, unique IMEI numbers and driver’s license information.

The airline is accused of failing to follow standard cybersecurity processes, allowing the hack to go undetected for four months…

T-Mobile data leak

The phrase itself begs the question “which one?” and in this case, an attack in which a hacker obtained the personal data of about 79 million Americans.

The hack happened in April 2021, but T-Mobile didn’t even realize it happened until the hacker started advertising data for sale in August of the same year.

At first the operator said he didn’t know if customer data had been received, then he said yes, and No only your own clients. At that time, the number of victims was estimated at 47.8 million, but later admitted that it was 79 million.

Series from further violations saw the Federal Communications Commission (FCC) fine the carrier $15.75 million.and ordered him to spend the same amount again on beefing up security measures.

Washington State Sues T-Mobile

Attorney General Bob Ferguson announced He filed a lawsuit against the company this week, claiming the violation was “entirely avoidable.”

lawsuitfiled in King County Superior Court, alleges that T-Mobile knew about certain cybersecurity vulnerabilities for years and did not take sufficient steps to address them. At the same time, T-Mobile misrepresented to consumers that the company prioritized protecting the personal data it collected.

Ferguson’s lawsuit also alleges that T-Mobile failed to adequately notify affected Washington state residents about the data breach, downplaying its severity and sending notices to affected consumers who did not disclose all of the information that was compromised.

In short, the lawsuit alleges that the massive data breach was a direct result of T-Mobile’s lack of accountability and failure to adhere to industry cybersecurity standards.

“This serious data breach was completely avoidable,” Ferguson said. “T-Mobile has had years to patch key vulnerabilities in its cybersecurity systems—and failed.”

The lawsuit says T-Mobile’s security failures violated consumer protection laws.

For years prior to August 2021, T-Mobile failed to meet industry cybersecurity standards and was aware of these vulnerabilities. These include insufficient processes for identifying and addressing security threats, as well as a systematic lack of oversight. In some cases, T-Mobile used obvious passwords to protect accounts that had access to customers’ sensitive personal information. The 2021 hack was made possible in part when a hacker guessed obvious credentials to gain access to T-Mobile’s internal databases.

Before 2021, T-Mobile had already suffered numerous cyber attacks. In fact, documents filed with the Federal Securities and Exchange Commission for 2020—a year before the data breach that sparked Ferguson’s lawsuit—show that T-Mobile knew it would continue to be a target.

Even though T-Mobile knew about these cybersecurity issues and failed to address them for years, it continued to misrepresent its commitment to cybersecurity to its customers by publicly advertising on its website: “We’ve got your back. We are always working to protect you and your family and keep your data secure.”

Ferguson’s lawsuit alleges that these failures violated the Washington Consumer Privacy Act. He claims the 2021 data breach was a direct result of T-Mobile’s lack of accountability.

T-Mobile told us:

We have discussed this 2021 incident with the Washington AG’s office multiple times over the past few years, even contacting us in late November to continue the discussion, so the office’s decision to file a lawsuit came as a surprise. While we do not agree with their approach and the statements contained in the filing, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally changed our approach to cybersecurity over the past four years to further protect our customers.

Photo by the author Matthew Maya on Unsplash