Washington state has launched a lawsuit against T-Mobile following a significant data breach that exposed sensitive personal information of more than 2 million Washington residents. The breach, discovered in August 2021, affected approximately 79 million people nationwide after attackers successfully infiltrated T-Mobile’s corporate network.
The breach remained undetected for six months, only coming to light when customer data surfaced on the dark web. Washington Attorney General Bob Ferguson alleges that T-Mobile downplayed the incident’s severity and failed to properly notify affected customers. The company’s notification process was criticized for being inadequate, with text messages to current customers lacking crucial information and sometimes misleading them about the breach’s extent.
Key Issues in the Lawsuit:
– Failure to implement adequate security measures despite previous cyberattacks
– Inadequate breach notification to affected customers
– Misrepresentation of cybersecurity capabilities
– Non-disclosure of compromised Social Security numbers to affected customers
The lawsuit seeks:
– Mandatory enhancement of T-Mobile’s cybersecurity practices
– Improved transparency in breach communications
– Civil penalties for Consumer Protection Act violations
– Customer compensation
– Surrender of profits from alleged deceptive practices
T-Mobile maintains they have transformed their cybersecurity approach over the past four years and expressed surprise at the lawsuit, stating they were open to further dialogue with the Washington AG’s office. While the company faced another breach in 2024 by Chinese state-backed actors “Salt Typhoon,” they assert no customer data was compromised in that incident.