Cover Image for T-Mobile faces another lawsuit over the data breach that occurred in 2021.
Wed Jan 08 2025

T-Mobile faces another lawsuit over the data breach that occurred in 2021.

This time it focuses specifically on the state of Washington.

The state of Washington has filed a lawsuit against T-Mobile for allegedly failing to address cybersecurity vulnerabilities that allowed a hacker to expose personal data of 79 million people nationwide. This legal action, initiated by Washington Attorney General Bob Ferguson on Monday, stems from a cyberattack that began in March 2021 and went unnoticed until T-Mobile revealed the breach in August.

According to the filed document, T-Mobile did not take necessary steps to resolve certain security vulnerabilities that the company had known about for “years,” and also failed to properly notify over two million Washington residents who were affected by the incident. The lawsuit argues that the company downplayed the severity of the data breach, which exposed personal information of current, former, and potential customers, including names, phone numbers, physical addresses, dates of birth, Social Security numbers, and driver’s license or identification numbers.

Additionally, it is argued that the notifications issued by T-Mobile regarding the data breach violated the Consumer Protection Act by omitting key information that made it difficult for individuals to assess whether they were at risk of identity theft or fraud. The complaint also states that T-Mobile had not adhered to industry cybersecurity standards for years prior to the attack, using “obvious passwords” to protect accounts that accessed consumer information.

“This significant data breach was entirely avoidable,” Ferguson said in a statement. “T-Mobile had years to correct key vulnerabilities in its cybersecurity systems and failed to do so.”

This is not the first time the state of Washington has taken legal action against T-Mobile; in 2013, Ferguson managed to persuade the company to clarify the limitations of its “no contract” wireless service plan. In this instance, the lawsuit seeks compensation for customers affected by the 2021 breach and a court order requiring T-Mobile to align its cybersecurity practices with industry standards, as well as to improve transparency and communication regarding future data breaches. This comes after T-Mobile agreed to pay $350 million in 2022 to resolve a class-action lawsuit related to the 2021 cyberattack, and an additional fine of $15.75 million last year due to an FCC investigation into the company's repeated cybersecurity incidents.