Attorney General Bob Ferguson has initiated a lawsuit against T-Mobile, alleging the company failed to secure sensitive personal information of over 2 million residents of Washington state. The breach reportedly exposed consumers to potential fraud and identity theft. Filed in King County Superior Court, the lawsuit claims that T-Mobile was aware of cybersecurity vulnerabilities for years but did not adequately address them.
The legal action further accuses T-Mobile of misrepresenting its commitment to data protection and failing to properly notify affected individuals about the breach's severity. "This significant data breach was entirely avoidable," Ferguson stated. "T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed."
The breach was discovered by T-Mobile in August 2021 after a hacker accessed its network, compromising personal information of over 79 million people nationwide, including 2,025,634 from Washington state. Of these, 183,406 had their Social Security numbers compromised. Other leaked data included phone numbers, names, addresses, and driver’s license information.
The breach began in March 2021 and lasted until August 12 of that year. The lawsuit notes that due to insufficient security monitoring, T-Mobile only became aware of the issue when an external source informed them that customer data was being sold on the dark web.
Ferguson's suit highlights inadequacies in T-Mobile's notification process post-breach. Customers were informed through text messages lacking critical details about the severity and scope of the incident. Particularly concerning was that current customers with compromised Social Security numbers were not specifically notified about this exposure.
The lawsuit argues that these notification shortcomings hindered consumers' ability to assess their risk accurately regarding identity theft or fraud. It also points out that prior to August 2021, T-Mobile did not adhere to industry cybersecurity standards despite knowing about existing vulnerabilities. The company's failure included weak processes for identifying threats and poor oversight.
Historical records indicate that before this breach, T-Mobile had been targeted by multiple cyberattacks. In documents filed with the Securities and Exchange Commission in 2020—one year before this incident—T-Mobile acknowledged it would remain a target for such attacks.