The state of Washington has filed a lawsuit against T-Mobile, accusing the telecommunications giant of failing to protect the personal data of millions of residents before a significant data breach in August 2021. This cyberattack compromised the sensitive information of over 79 million customers across the U.S.
Washington Attorney General Bob Ferguson announced the legal action, stating that T-Mobile had long been aware of vulnerabilities in its cybersecurity systems but did not take sufficient action to address them. The lawsuit seeks financial penalties under Washington’s consumer protection laws and aims to mandate stronger cybersecurity measures at T-Mobile.
The 2021 breach marked the latest in a string of data security failures for T-Mobile, which has experienced at least five breaches since 2018. In this incident, hackers gained access to the company’s systems, stealing sensitive customer details, including names, birth dates, Social Security numbers, and driver’s license information. Portions of the stolen data were later posted on a well-known cybercriminal forum.
Ferguson criticized T-Mobile’s response to the breach, claiming the company downplayed its severity and failed to provide adequate notice to affected customers. He argued this left consumers ill-equipped to protect themselves against potential identity theft or fraud.
“This breach was entirely preventable,” Ferguson said in a press release. “T-Mobile had ample time to address critical weaknesses in its cybersecurity framework but failed to act.”
The lawsuit, filed in a federal court in Seattle, details alleged security flaws and internal practices that may have facilitated the hacker’s access. Key accusations include the use of weak login credentials, allowing unauthorized connections from outside the network, and failing to implement rate-limiting on login attempts, enabling unlimited guesses without locking accounts. The complaint also highlights T-Mobile’s inadequate monitoring systems, which allowed the breach to go undetected for an extended period.
The lawsuit further accuses T-Mobile of misrepresenting its cybersecurity measures and minimizing the risks posed to customers, including the presence of compromised data on the dark web.
T-Mobile initially declined to comment but later issued a statement through spokesperson Michelle Jacob, calling the lawsuit a “surprise.” The company expressed its willingness to resolve the issue and noted it had already cooperated with the FCC regarding the matter.
This legal challenge underscores the growing scrutiny of companies’ cybersecurity practices, especially when dealing with highly sensitive customer information.
