Washington State Attorney General Bob Ferguson has filed a lawsuit against T-Mobile regarding a 2021 data breach that exposed sensitive personal information of 79 million users nationwide, including over 2 million Washington state residents. The legal action comes amid growing concerns over telecommunications carriers’ cybersecurity practices, following several high-profile breaches in the industry.
The breach, which occurred in March 2021, remained undetected for six months until customer data surfaced on the dark web in August 2021. Attackers exploited vulnerabilities in T-Mobile’s systems to gain access to the sensitive information, including Social Security numbers, driver’s license information, and other personal identifiers that could be used for identity theft.
The lawsuit alleges that T-Mobile failed to adequately secure customer data and did not properly notify affected individuals about the breach. “When it learned of the data breach, T-Mobile’s notification to affected consumers was inadequate in numerous ways,” said Attorney General Ferguson. The state claims that T-Mobile’s communications omitted critical details, misrepresented the breach’s severity, and failed to inform customers whose Social Security numbers were compromised.
The legal action highlights T-Mobile’s vulnerability to repeated cyber threats despite previous incidents. The breach follows earlier security incidents at T-Mobile, including a significant API vulnerability that exposed customer data. The Attorney General’s office contends that the company did not implement sufficient cybersecurity measures to protect customer data, despite being part of the Mobile Authentication Taskforce that aims to enhance mobile security.
Under the lawsuit, Washington state is seeking civil penalties under the Consumer Protection Act and financial compensation for affected customers. The legal action aims to establish precedent regarding businesses’ responsibilities in protecting client data and breach notification requirements, particularly as states strengthen their data protection regulations.
In January 2025, Washington state reinforced its legal position against T-Mobile, maintaining focus on the company’s alleged failure to secure sensitive personal information and meet its obligations to protect customer data. The ongoing case reflects broader industry concerns about data security and consumer protection in the telecommunications sector, where carriers maintain vast repositories of sensitive customer information.
Sources: Cerium Networks, CM Alliance, Hunton Insurance Recovery Blog, CSO Online, Cybersecurity Ventures
Follow Us