Washington state sues T-Mobile over 2021 data breach security failures

Washington state has sued T-Mobile over failing to secure the sensitive personal information of over 2 million Washington residents in a 2021 data breach.

The case dates back to August 2021, when T-Mobile admitted that attackers brute forced their way into its corporate network and gained access to the sensitive information of 79 million people nationwide.

The data breach itself, though, began in March 2021, and the malicious activity went unnoticed for the following six months.

T-Mobile only learned of the breach after customer data appeared on the dark web. According to Washington Attorney General Bob Ferguson, the telecom giant chose to play down the severity of the breach and failed to notify impacted individuals in a timely manner.

"When it learned of the data breach, T-Mobile's notification to affected consumers was inadequate in numerous ways," reads the AG's announcement.

"Current customers received text messages that were brief, omitted critical and legally required information, and in some cases misled customers regarding the severity of the breach."

"Moreover, current customers whose Social Security numbers were exposed did not receive any information regarding that exposure."

Ferguson alleges that this breach came after a series of previous cyberattacks that showed T-Mobile remained in threat actors' crosshairs, yet the firm allegedly failed to implement the appropriate security measures to prevent its occurrence.

This continued into 2024, when T-Mobile was compromised by the Chinese state-backed actors "Salt Typhoon." However, the telecommunications firm says that no customer data was accessed as part of this breach.

The lawsuit, filed at King Country Superior Court, also alleges that T-Mobile misrepresented its cybersecurity capabilities, giving customers a false sense of security and safety about their data.

The legal action now seeks a court order mandating that T-Mobile strengthen its cybersecurity practices to meet industry standards and improve transparency and customer communication when data breaches happen.

The lawsuit also seeks the approval of civil penalties for violations of the Consumer Protection Act and compensation to affected customers who suffered damages resulting from the breach.

Additionally, T-Mobile may be ordered to surrender any financial gains obtained through the alleged deceptive practices.

BleepingComputer has contacted T-Mobile requesting a statement on the Washington AG lawsuit, and a spokesperson sent us the following comment:

"We have had multiple conversations about this incident from 2021 with the Washington AG's office over the last several years and even reached out in late November to continue discussions, so the office's decision to file a lawsuit yesterday came as a surprise," T-Mobile told BleepingComputer.

"While we disagree with their approach and the filing's claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers."