Washington State has initiated a lawsuit against T-Mobile due to a security incident from 2021 that compromised the personal information of approximately 79 million individuals, including 2 million residents of Washington. The leaked data encompassed social security numbers, phone numbers, home addresses, unique IMEI numbers, and driver’s license details.
The telecom provider is accused of neglecting standard cybersecurity protocols, which allowed the breach to occur without detection for four months…
T-Mobile Data Breach
This term raises the query “which incident?” In this case, it refers to an event where a hacker accessed the personal information of roughly 79 million Americans.
The infraction took place in April 2021, yet T-Mobile did not recognize it until August of that year when the hacker began advertising the stolen data.
Initially, the carrier claimed uncertainty regarding whether customer data was breached, only later to confirm it – stating that not only its own customers were affected. Initially, T-Mobile estimated that 47.8 million people were impacted, but subsequently revised that number to 79 million.
A series of additional security breaches led to the Federal Communications Commission (FCC) imposing a $15.75 million fine on the company, mandating the same amount be invested to enhance its security measures.
Washington State’s Lawsuit Against T-Mobile
Attorney General Bob Ferguson announced his lawsuit against the carrier this week, stating that the incident was “completely preventable.”
The lawsuit, lodged in King County Superior Court, claims that T-Mobile had been aware for years of certain cybersecurity weaknesses but failed to take adequate measures. Simultaneously, T-Mobile misled consumers into believing that safeguarding their personal data was a top priority.
Additionally, Ferguson’s lawsuit asserts that T-Mobile did not adequately inform affected Washington residents about the data breach, minimizing its severity and providing notices that failed to outline all the compromised information.
Essentially, the lawsuit contends that the major data breach stemmed from T-Mobile’s lack of accountability and non-compliance with industry cybersecurity protocols.
“This significant data breach was entirely avoidable,” Ferguson remarked. “T-Mobile had years to rectify crucial vulnerabilities in its cybersecurity systems — and it did not.”
The lawsuit alleges T-Mobile’s security deficiencies contravened consumer protection laws.
For years prior to August 2021, T-Mobile did not adhere to industry cybersecurity standards and was aware of these vulnerabilities. These included inadequate processes for recognizing and tackling security threats, alongside a broad absence of oversight. In some instances, T-Mobile utilized easily guessed passwords to secure accounts that accessed customers’ sensitive personal data. The 2021 breach was partly facilitated when the hacker guessed these obvious credentials to infiltrate T-Mobile’s internal databases.
Leading up to 2021, T-Mobile had already been a victim of numerous cyberattacks. In fact, federal Securities and Exchange Commission filings from 2020 — a year prior to the data breach central to Ferguson’s lawsuit — indicated T-Mobile was aware it would remain a target.
Despite acknowledging and failing to rectify these cybersecurity issues for years, T-Mobile continued to mislead its customers about its commitment to cybersecurity, publicly declaring on its website: “We’ve got your back. We’re always working to protect you and your family and keep your data secure.”
Ferguson’s lawsuit avers that these failures breached Washington’s Consumer Protection Act, asserting that the 2021 data breach was a direct consequence of T-Mobile’s lack of accountability.
Photo by Mateus Maia on Unsplash
: . More.
