Washington State Attorney General Bob Ferguson has filed a consumer protection lawsuit against T-Mobile regarding a 2021 data breach that exposed the personal information of over 79 million customers nationwide, including more than 2 million Washington residents. The incident represents one of the largest telecom security breaches since CISA began implementing enhanced mobile security guidance for telecommunications providers.
The breach, which began in March 2021 and was discovered in August of that year, came to light when an anonymous source informed T-Mobile that customer data was being sold on the dark web. The compromised information included sensitive personal data of 2,025,634 Washington State residents. The security failure occurred despite T-Mobile’s previous efforts to enhance security through initiatives like the ZenKey authentication platform, which was designed to provide more secure, password-free authentication for mobile users.
According to the lawsuit, T-Mobile allegedly failed to implement adequate security measures despite being aware of vulnerabilities in their systems for years. “This significant data breach was entirely avoidable,” said Attorney General Ferguson. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems and it failed.”
The legal action alleges that T-Mobile’s notification to affected customers was insufficient, specifically citing a text message that omitted crucial information about compromised Social Security numbers. The omission, the lawsuit claims, prevented customers from properly assessing their risk of identity theft or fraud. The handling of sensitive personal information has become increasingly scrutinized as industry experts advocate for stronger data protection measures, including biometric solutions.
The lawsuit further contends that T-Mobile downplayed the severity of the breach in its communications with customers, noting that the company’s message stated, “We have no evidence that your debit/credit card information was compromised.” Additional allegations focus on inadequate data storage practices and insufficient risk management and security monitoring procedures, issues that have become increasingly important as mobile carriers expand their data monetization efforts.
In July 2022, T-Mobile agreed to a $350 million settlement in a related class-action lawsuit, though the company made no admission of liability or wrongdoing. The current lawsuit from the Washington State Attorney General’s office seeks civil penalties and institutional reforms to protect Washington residents affected by the breach.
Sources: MyNorthwest, MLex, MLex
Follow Us