Washington Takes Legal Action Against T-Mobile for 2021 Data Breach Exposing 79 Million Customer Records
The state of Washington has taken legal action against T-Mobile, alleging that the telecommunications giant failed to protect the personal data of millions of its residents before a significant data breach in August 2021. This incident impacted over 79 million customers across the United States and has raised serious concerns about data security practices in the telecom industry.
Details of the Lawsuit Against T-Mobile
Washington’s Attorney General, Bob Ferguson, announced the lawsuit, stating that T-Mobile had been aware of certain cybersecurity vulnerabilities for years but did not take adequate steps to address them. The lawsuit seeks to impose financial penalties under the state’s consumer protection laws and mandates T-Mobile to enhance its cybersecurity measures.
Background of the August 2021 Data Breach
The data breach in August 2021 was not an isolated incident; it was part of a troubling trend, with at least five security breaches reported at T-Mobile since 2018, according to TechCrunch. The breach allowed unauthorized access to sensitive customer information, including:
- Names
- Dates of birth
- Social Security numbers
- Driver’s license information
Some of this stolen data was later found published on a known cybercriminal forum, further highlighting the severity of the breach.
Consumer Notification and Risk of Identity Theft
Ferguson criticized T-Mobile for providing insufficient notification to affected customers, claiming that the communication “omitted critical information and downplayed the severity” of the breach. This lack of transparency hindered consumers’ ability to evaluate their risk of identity theft or fraud.
“This significant data breach was entirely avoidable,” Ferguson stated. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”
Technical Failures Alleged in the Complaint
The lawsuit, filed in a federal court in Seattle, includes details about the alleged technical failures that contributed to the breach. Some of the claims include:
- The hacker discovered an “easily guessable username and password.”
- T-Mobile used “weak credentials” for internal system access.
- Connections were allowed from the threat actor’s IP address outside the network.
- No rate-limiting was implemented on login attempts, enabling the hacker to test multiple credentials without restrictions.
Furthermore, the complaint states that T-Mobile’s “inadequate monitoring and alerting configuration” facilitated the hacker’s undetected access to the network.
Misrepresentation of Cybersecurity Defenses
Ferguson’s complaint alleges that T-Mobile misrepresented the effectiveness of its cybersecurity measures and the risks associated with customer data found on the dark web. This conduct, he argues, “had the capacity to deceive a substantial number of Washington consumers.”
T-Mobile’s Response to the Lawsuit
When approached for comment by TechCrunch, T-Mobile did not respond immediately. However, a spokesperson later stated that the lawsuit was unexpected. The company expressed a willingness to engage in dialogue to resolve the matter, similar to how it has handled previous issues with the FCC.
“While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue,” the statement read.
For more information on cybersecurity and data protection, consider visiting FTC’s Privacy & Identity Theft page.
