Not willing to give T-Mobile an easy pass, attorney sues for avoidable harm to customers

T-Mobile has been sued again, this time by Washington-based Attorney General Bob Ferguson. Ferguson has filed a consumer protection lawsuit against the carrier for not safeguarding more than 2 million Washington residents from a 2021 data breach.

T-Mobile has been breached several times in recent years. The lawsuit pertains to a breach that began in March 2021 and continued until August 2021, which is when it was discovered by an outside source, who notified the company. During the attack, a hacker was able to access the carrier's internal network and steal and sell information belonging to over 79 million consumers on the dark web. The compromised data included names, social security numbers, phone numbers, addresses, and driver’s license information.

The lawsuit revolves around the preventable nature of the attack, which it alleges happened due to T-Mobile's failure to address certain cybersecurity vulnerabilities, about which it had known for years. The company also did not satisfy industry standards for cybersecurity and used easy-to-guess passwords for some accounts with sensitive customer information. The lawsuit says that the hacker guessed their way into T-Mobile’s internal databases, making the 2021 breach possible.

The lawsuit reveals that the network configuration was inadequate and it did not put any limits on authentication attempts.

T-Mobile's monitoring and alerting system was not able to detect the presence of a threat actor and the breach would have continued for longer had it not been alerted by an outside source.

T-Mobile had also been attacked multiple times before 2021, and it was aware that it would continue to be a target of cyber attacks and security incidents. To be more specific, its systems were accessed by unauthorized personnel five times between 2017 and mid-2022 alone.

This did not deter T-Mobile from giving its customers the impression that their data was safe with it.

The lawsuit also accuses the company of downplaying the severity of the breach and not properly disclosing it to the residents of Washington. This impacted their ability to properly assess the risk of identity theft or fraud and minimize any possible impacts, such as implementing a security freeze.

Ferguson is seeking injunctive relief and restitution as well as reimbursement of costs, including attorney fees.

John Binns, the person believed to be responsible for the 2021 attack, was arrested in May.

T-Mobile had previously agreed to pay $350 million to settle another class action lawsuit filed by customers over the data breach. It also settled with the Federal Communications Commission (FCC) for $31.5 million over breaches that happened in 2021, 2022, and 2023.