T-Mobile is facing a second lawsuit over a 2021 data breach that affected 80 million users. The lawsuit, filed by Washington State Attorney General Bob Ferguson, claims that T-Mobile failed to address known cybersecurity vulnerabilities in its systems.
T-Mobile faces second lawsuit over 2021 data breach
Ferguson stated that T-Mobile had years to “fix key vulnerabilities” and accused the company of not taking adequate action to secure its systems. The lawsuit also alleges that T-Mobile misled customers regarding its security practices, delayed notifying Washington residents about the breach, and downplayed the breach’s severity.
“For years prior to August 2021, T-Mobile did not meet industry standards for cybersecurity and knew about these vulnerabilities. These included insufficient processes for identifying and addressing security threats and a systemic lack of oversight. In some cases, T-Mobile used obvious passwords to protect accounts that had access to customers’ sensitive personal information. The 2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile’s internal databases,” reads the lawsuit.
Your T-Mobile data was almost stolen: Here’s how it happened
The company learned of the breach, which had occurred in March 2021, only in August 2021. Hackers accessed sensitive customer data, including names, phone numbers, addresses, birth dates, social security numbers, driver’s license and ID information, and device identifiers. The compromised data was subsequently sold.
The individual responsible for the breach described T-Mobile’s security as “awful,” indicating that the attack was facilitated by discovering an unprotected router that allowed access to T-Mobile’s Washington data center.
In response to the breach, T-Mobile issued an apology and committed to enhancing its security measures by partnering with cybersecurity experts.
The current lawsuit seeks restitution for Washington residents affected by the breach and seeks injunctive relief to mandate improvements in T-Mobile’s cybersecurity protocols.
T-Mobile previously settled a class action lawsuit related to the data breach for $350 million in 2022 and was fined $60 million by the Committee on Foreign Investment in the US (CFIUS) for not preventing or disclosing unauthorized access to sensitive customer data.
Featured image credit: appshunter.io/Unsplash
