Washington State Attorney General Bob Ferguson has filed a lawsuit against T-Mobile over a major data breach that occurred in 2021, affecting approximately 79 million customers nationwide, including more than 2 million Washington residents. The incident represents one of the largest telecommunications data breaches in U.S. history and follows several other security incidents at T-Mobile since 2018.
The data breach, which began in March 2021 and remained undetected for six months until customer information appeared on the dark web, exposed sensitive personal data including names, dates of birth, Social Security numbers, and driver’s license information. The exposure of such data poses significant risks for identity theft and fraud, particularly as cybercriminals increasingly target mobile carrier databases for SIM-swapping attacks and other fraudulent activities.
According to the lawsuit filed in King County Superior Court, T-Mobile allegedly failed to address known cybersecurity vulnerabilities despite being aware of them for years. “This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed,” said Attorney General Ferguson. The lawsuit comes as mobile carriers face increasing pressure to enhance their security measures, with the industry previously attempting to address authentication challenges through initiatives like the ZenKey authentication platform.
The legal action alleges that T-Mobile provided inadequate notification to affected customers, with current customers receiving brief text messages that omitted critical information about the breach’s severity. Notably, customers whose Social Security numbers were compromised were not specifically informed about this exposure, potentially limiting their ability to take protective measures such as credit freezes or enhanced identity monitoring.
The lawsuit further claims that T-Mobile misrepresented its cybersecurity capabilities and downplayed the breach’s severity, potentially hampering customers’ ability to protect themselves against identity theft and fraud. The state is seeking financial damages under Washington’s consumer protection laws and a court order requiring T-Mobile to strengthen its cybersecurity practices.
The incident marks the latest in a series of security breaches at T-Mobile, with at least five documented incidents since 2018. The frequency of these breaches has raised concerns about the telecommunications industry’s overall approach to data protection and identity verification. In response to the lawsuit, T-Mobile has stated that they have engaged in multiple discussions with the Washington Attorney General’s office and have implemented significant changes to their cybersecurity infrastructure. “We have fundamentally transformed our approach to cybersecurity over the past four years to further protect our customers,” said a company spokesperson.
The case highlights the growing importance of robust digital identity protection measures in the telecommunications sector, as carriers continue to serve as crucial gatekeepers for personal information and mobile authentication services.
Sources: TechRadar, BleepingComputer, TechCrunch
Follow Us