It’s the data breach that keeps coming back to bite: T-Mobile is facing yet more legal action over a 2021 security calamity that saw 79 million customer records leaked.
This latest lawsuit comes from the State of Washington, which is suing the telecoms giant for financial damages and is also trying to push for improved cybersecurity in the future.
The breach has already resulted in a class action lawsuit from affected customers for a reported $350 million; and $31.5 million from the government.
T-Mobile “Did Not Do Enough,” Suit Says
This latest lawsuit centers upon the accusation that T-Mobile knew that its defenses were shaky but did nothing about it.
In a statement announcing the lawsuit, Washington attorney general Bob Ferguson said T-Mobile “knew for years about certain cybersecurity vulnerabilities and did not do enough to address them.” He added: “This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems – and it failed.”
This just in! View
the top business tech deals for 2025 👨💻
Ferguson adds that the company was also deliberately deceptive. “T-Mobile misrepresented to consumers that the company prioritizes protecting the personal data it collects,” he said.
Even after the breach, Ferguson says that the company wasn’t honest. The lawsuit alleges that the telecoms company “failed to properly notify affected Washingtonians of the data breach, downplaying its severity and sending notices to affected consumers that did not disclose all the information that had been compromised.”
What Do Washingtonians Want?
As well as financial damages, the lawsuit is focused upon getting T-Mobile to take a scrupulous look at its cyber-policies to ensure that a breach of this scale can’t happen again.
The lawsuit alleges that the “2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile’s internal databases.” These databases contained full names, home addresses, and even Social Security numbers.
While some technical details in the lawsuit are redacted, the lawsuit also alleges that T-Mobile “allowed the connection from the threat actor’s IP address” from outside its network. The hacker was then allowed to test credentials without limit as the company did not have rate-limiting on login attempts.
T-Mobile “Surprised” by Lawsuit
After years of legal wrangling, T-Mobile obviously thought that the worst was over and admitted to TechCrunch that this lawsuit has come as a “surprise” to it.
In a rather resigned statement, spokesperson Michelle Jacob told the publication: “While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC.”
