The state of Washington has filed a lawsuit against T-Mobile, accusing the carrier of failing to safeguard sensitive data for more than 2 million residents and of “downplaying the severity” of its massive data breach in its communications with affected customers.
The lawsuit, filed by Attorney General Bob Ferguson, is the latest in a string of suits alleging the company failed to address known cybersecurity vulnerabilities. In 2021, a hacker accessed and exposed personal information of more than 79 million T-Mobile customers nationwide, including more than 2 million Washington residents.
T-Mobile previously agreed to a $350 million settlement to resolve claims that its negligence led to the breach. It was the second-largest data breach settlement in US history, following Equifax’s $700 million settlement in 2019. Meanwhile, T-Mobile was hit with a $15.75 million fine last year by the Federal Trade Commission related to its repeated security breaches.
The Washington state lawsuit seeks additional penalties and changes to T-Mobile’s cybersecurity practices to prevent future breaches.
The new suit says T-Mobile knew “for years” about some of its cybersecurity vulnerabilities and didn’t do enough to address them, which made customers caught up in the breach vulnerable to identity theft and fraud. T-Mobile’s headquarters are in the Seattle suburb of Bellevue, Washington.
Read more: T-Mobile Home Internet Review
The lawsuit says that more than 183,000 Washington residents had their Social Security numbers compromised but were “inadequately” notified that they were among the affected group, making it difficult for them to determine if they were at risk.
The lawsuit alleges that T-Mobile didn’t disclose enough information about what was compromised. Beyond Social Security numbers, the hacker exposed phone numbers, names, physical addresses, driver’s license information and other personal data.
“This significant data breach was entirely avoidable,” Ferguson said in a press release. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”
In a statement sent to CNET, T-Mobile said the lawsuit “came as a surprise” because the company had been involved in ongoing discussions with the Washington attorney general’s office over the years. It also said it reached out to the office in late November to continue those conversations.
“While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC,” T-Mobile said in a statement.
The company added that T-Mobile “fundamentally transformed” its “approach to cyber security over the past four years to further protect our customers.”
For years, T-Mobile marketed itself as prioritizing cybersecurity, with the tagline: “We’ve got your back. We’re always working to protect you and your family and keep your data secure.”
Read more: I Use T-Mobile Home Internet Every Day. Here’s What I Love (and a Few Things I Don’t)
But the lawsuit cited a 2020 filing with the federal Securities and Exchange Commission that revealed T-Mobile was aware it remained a target of cyberthreats.
“We are subject to the threat of unauthorized access or disclosure of Confidential Information by … malicious actors … that could compromise the confidentiality and integrity of Confidential Information,” the filing with the SEC read, according to the lawsuit.
T-Mobile said it would “expect to continue to be the target of cyber-attacks, data breaches, or security incidents.”
The lawsuit argues that company failures violated Washington’s Consumer Protection Act, which prohibits unfair and deceptive business practices, and it seeks civil penalties and restitution for impacted Washington customers.
It also calls for court-ordered changes to improve T-Mobile’s cybersecurity practices and requires the company to be more transparent about cybersecurity risks and data breaches.
+ There are no comments
Add yours