Washington State Attorney General Bob Ferguson on Monday filed a lawsuit against wireless carrier T-Mobile over a 2021 data breach.
Disclosed in August 2021, the attack resulted in the personal information of 76.6 million people being stolen. The next year, T-Mobile agreed to pay $350 million to settle a class action lawsuit over the incident, and in 2024 it agreed to pay a $15.75 million civil penalty to settle an FCC investigation into this and other data breaches.
John Binns, an American citizen living in Turkey, took credit for the attack. Binns is currently held in prison in Turkey after being arrested in connection to the Snowflake attacks. A Canadian national and a US Army soldier were also arrested over the attacks.
On Monday, AG Ferguson sued T-Mobile over its lack of proper security controls over customers’ personal data, asserting that the carrier knew about certain vulnerabilities and failed to address them.
The lawsuit (PDF) also asserts that T-Mobile misled customers by claiming it was prioritizing the protection of collected personal data, and that the carrier failed to properly notify Washingtonians of the incident, downplaying its impact.
The personal information of over 2 million Washingtonians was compromised in the incident, and T-Mobile did not disclose all the affected information in the notification letters sent to consumers, the lawsuit also alleges.
The incident resulted in names, addresses, phone numbers, driver’s license information, and other personal data being stolen, and, for 183,406 Washington consumers, also resulted in Social Security numbers being compromised.
“This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed,” Ferguson said.
The lack of adequate security monitoring prevented the wireless carrier from discovering the data breach for nearly half a year, until an anonymous outside source notified it of the incident.
According to the Washington Attorney General’s Office, T-Mobile’s notification to the impacted customers came in the form of brief text messages that “omitted critical and legally required information, and in some cases misled customers regarding the severity of the breach” and did not mention the compromise of Social Security numbers where that was the case.
The lawsuit also underlines that, although it had fallen victim to multiple data breaches before 2021, T-Mobile failed to address cybersecurity issues and that the 2021 incident was the direct result of T-Mobile’s lack of accountability.
In addition to civil penalties and restitution, the lawsuit seeks injunctive relief to require T-Mobile to improve its cybersecurity policies and procedures and become more transparent when communicating incidents to consumers.
“We have had multiple conversations about this incident from 2021 with the Washington AG’s office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit yesterday came as a surprise. While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers,” T-Mobile told SecurityWeek in an emailed statement.
