(Seattle, WA)— Attorney General Bob Ferguson filed a consumer protection lawsuit today against T-Mobile for failing to adequately secure sensitive personal information of more than 2 million Washingtonians. That failure resulted in a massive data breach that exposed the personal information of those consumers and made them vulnerable to fraud and identity theft.
The lawsuit, filed in King County Superior Court, asserts that T-Mobile knew for years about certain cybersecurity vulnerabilities and did not do enough to address them. At the same time, T-Mobile misrepresented to consumers that the company prioritizes protecting the personal data it collects. Ferguson’s lawsuit also alleges T-Mobile failed to properly notify affected Washingtonians of the data breach, downplaying its severity and sending notices to affected consumers that did not disclose all the information that had been compromised.
In short, the lawsuit asserts that the massive data breach was a direct result of T-Mobile’s lack of accountability and failure to adhere to industry cybersecurity standards.
“This significant data breach was entirely avoidable,” Ferguson said. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”
In August 2021, T-Mobile discovered a hacker had gained access to the company’s internal network and exposed personal information of more than 79 million consumers nationwide, among them 2,025,634 Washingtonians. Of those, 183,406 Washington consumers had their Social Security numbers compromised. Other data exposed included phone numbers, names, physical addresses and driver’s license information, among other personal data.
The data breach began in March 2021 and continued until Aug. 12, 2021. Due to a lack of adequate security monitoring, according to the lawsuit, T-Mobile was unaware of the breach until an anonymous outside source notified the company that its customers’ data was posted for sale on the dark web. 
When it learned of the data breach, T-Mobile’s notification to affected consumers was inadequate in numerous ways. Current customers received text messages that were brief, omitted critical and legally required information, and in some cases misled customers regarding the severity of the breach. Moreover, current customers whose Social Security numbers were exposed did not receive any information regarding that exposure.
In contrast, customers who did not have their Social Security numbers exposed were notified of that information in the texts they received from the company.
Because T-Mobile’s breach notifications omitted critical information and downplayed the severity, it affected consumers’ ability to adequately assess their risk of identity theft or fraud. 
For years prior to August 2021, T-Mobile did not meet industry standards for cybersecurity and knew about these vulnerabilities. These included insufficient processes for identifying and addressing security threats and a systemic lack of oversight. In some cases, T-Mobile used obvious passwords to protect accounts that had access to customers’ sensitive personal information. The 2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile’s internal databases.
Prior to 2021, T-Mobile had already been the target of numerous cyberattacks. In fact, filings with the federal Securities and Exchange Commission from 2020 — a year before the data breach at the center of Ferguson’s lawsuit — show that T-Mobile knew it would continue to be a target.
Despite knowing about and failing to address these cybersecurity issues for years, T-Mobile continued misrepresenting to its customers a commitment to cybersecurity, publicly touting on its website: “We’ve got your back. We’re always working to protect you and your family and keep your data secure.”
Ferguson’s lawsuit asserts that these failures violated Washington’s Consumer Protection Act. It alleges the 2021 data breach was the direct result of T-Mobile’s lack of accountability.
Ferguson’s lawsuit seeks civil penalties and restitution for the Washingtonians harmed. It also seeks injunctive relief to require improvements to T-Mobile’s cybersecurity policies and procedures, as well as increased transparency in communications about cybersecurity to its customers.
Assistant Attorneys General Mina Shahin, Kathleen Box, Bret Finkelstein, Gardner Reed, Paralegal Matt Hehemann, Legal Assistant Luis Oida and Investigator Steuart Markley are handling the case for Washington.
For more information about data breaches, data breach reports and protecting your private data, visit the Attorney General’s Data Breach Resource Center: atg.wa.gov/data-
