Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Washington Attorney General Sues T-Mobile Over 2021 Data Breach

Washington State Attorney General Bob Ferguson has filed a lawsuit against T-Mobile over a 2021 data breach that impacted over 76 million consumers.

T-Mobile hack lawsuit

Washington State Attorney General Bob Ferguson on Monday filed a lawsuit against wireless carrier T-Mobile over a 2021 data breach.

Disclosed in August 2021, the attack resulted in the personal information of 76.6 million people being stolen. The next year, T-Mobile agreed to pay $350 million to settle a class action lawsuit over the incident, and in 2024 it agreed to pay a $15.75 million civil penalty to settle an FCC investigation into this and other data breaches.

John Binns, an American citizen living in Turkey, took credit for the attack. Binns is currently held in prison in Turkey after being arrested in connection to the Snowflake attacks. A Canadian national and a US Army soldier were also arrested over the attacks.

On Monday, AG Ferguson sued T-Mobile over its lack of proper security controls over customers’ personal data, asserting that the carrier knew about certain vulnerabilities and failed to address them.

The lawsuit (PDF) also asserts that T-Mobile misled customers by claiming it was prioritizing the protection of collected personal data, and that the carrier failed to properly notify Washingtonians of the incident, downplaying its impact.

The personal information of over 2 million Washingtonians was compromised in the incident, and T-Mobile did not disclose all the affected information in the notification letters sent to consumers, the lawsuit also alleges.

The incident resulted in names, addresses, phone numbers, driver’s license information, and other personal data being stolen, and, for 183,406 Washington consumers, also resulted in Social Security numbers being compromised.

“This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed,” Ferguson said.

Advertisement. Scroll to continue reading.

The lack of adequate security monitoring prevented the wireless carrier from discovering the data breach for nearly half a year, until an anonymous outside source notified it of the incident.

According to the Washington Attorney General’s Office, T-Mobile’s notification to the impacted customers came in the form of brief text messages that “omitted critical and legally required information, and in some cases misled customers regarding the severity of the breach” and did not mention the compromise of Social Security numbers where that was the case.

The lawsuit also underlines that, although it had fallen victim to multiple data breaches before 2021, T-Mobile failed to address cybersecurity issues and that the 2021 incident was the direct result of T-Mobile’s lack of accountability.

In addition to civil penalties and restitution, the lawsuit seeks injunctive relief to require T-Mobile to improve its cybersecurity policies and procedures and become more transparent when communicating incidents to consumers.

“We have had multiple conversations about this incident from 2021 with the Washington AG’s office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit yesterday came as a surprise. While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers,” T-Mobile told SecurityWeek in an emailed statement.

*Updated with statement from T-Mobile.

Related: T-Mobile Shares More Information on China-Linked Cyberattack

Related: Apple to Pay $95 Million to Settle Lawsuit Accusing Siri of Eavesdropping

Related: Bot Battle: The Tech That Could Decide Twitter’s Musk Lawsuit

Related: Court Rejects Lawsuit Against NSA on “State Secrets” Grounds

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.