T-Mobile
Image: Mika Baumeister via Unsplash

Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach

T-Mobile is being sued by Washington for allegedly poor cybersecurity practices that led to a hack compromising the sensitive personal data of more than 2 million state residents, exposing them to identity theft and fraud.

The consumer protection lawsuit, announced Monday, alleges that the telecommunications giant knew about its cybersecurity weaknesses for years and failed to fix them.

The carrier also misled customers by telling them it focused on safeguarding consumer data and did not properly alert them about the 2021 breach, including by failing to reveal which information had been hacked, state Attorney General Bob Ferguson alleges. The suit seeks civil penalties.

T-Mobile agreed to pay a $31.5 million fine and strengthen its cyber practices in September as part of a wide-ranging settlement with the Federal Communications Commission (FCC) for its alleged cybersecurity failings, which the FCC said led to the 2021 breach as well as additional hacks in 2022 and 2023.

That settlement ordered T-Mobile to adopt zero-trust network security and multi-factor authentication measures that it had previously lacked, the FCC said at the time. 

The 2021 breach led to the leak of personal data belonging to 79 million T-Mobile customers across the country, according to a Ferguson press release. The breach also allegedly exposed Social Security numbers (SSNs) for 183,000 of the more than 2 million Washington state consumers impacted by the hack, the press release said.

Phone numbers, names, physical addresses and driver’s license information also were allegedly leaked, Ferguson’s office said.

A T-Mobile spokesperson said in a statement that the company is surprised by the lawsuit since it has had more than one conversation about the incident with Ferguson’s staff and even contacted the office in November to continue discussions.

“While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC,” the statement said. “We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers.” 

The breach began in March 2021 and didn’t end until August of that year. T-Mobile security monitoring was so poor, the lawsuit says, that the company only learned of the intrusion when an anonymous outsider alerted the company that data belonging to its customers was for sale on the dark web.

“This significant data breach was entirely avoidable,” Ferguson said in a statement. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”

T-Mobile alerted customers to the breach via text messages which “omitted critical and legally required information, and in some cases misled customers regarding the severity of the breach,” Ferguson said. 

Consumers whose SSNs were breached were not told about their exposure, Ferguson alleges. Meanwhile, the company allegedly did tell customers whose SSNs were not hacked that their numbers were safe.

T-Mobile’s cybersecurity failings included “insufficient processes for identifying and addressing security threats and a systemic lack of oversight,” according to the release. 

The company sometimes used “obvious” passwords to safeguard accounts that included sensitive personal data, Ferguson’s office said.

The 2021 hack should not have surprised T-Mobile, Ferguson’s office said, citing the fact that 2020 Securities and Exchange Commission filings “show that T-Mobile knew it would continue to be a target.”

Meanwhile, the press release said, the company’s website told customers the company prioritized data security, Ferguson’s office said. 

“We’ve got your back,” the website said. “We’re always working to protect you and your family and keep your data secure.”

In addition to the civil penalties, the lawsuit asks for T-Mobile to be forced to bolster its cybersecurity program.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.