Updated: January 7, 2025:
T-Mobile has expressed dismay at the recent decision by the Washington Attorney General (AG) to file a lawsuit regarding a significant data breach that occurred between March and August 2021. While the company disputes the claims laid out in the lawsuit, it remains open to continued discussions with the AG's office and emphasizes its commitment to enhancing cybersecurity measures.
T-Mobile's spokesperson stated, “We have had multiple conversations about this incident with the Washington AG's office over the years, and we were surprised by the decision to file a lawsuit now. While we disagree with their claims, we welcome the opportunity for further dialogue as we have already done with the FCC. We also look forward to sharing how T-Mobile has transformed its cybersecurity approach over the past four years to better protect our customers.”
T-Mobile spokesperson, January 2025
The original report from January 7, 2025 follows below:
Over the past few years, T-Mobile has faced several major cybersecurity incidents, the most significant being a breach that started in March 2021 and lasted until August 2021, when it was brought to the company's attention by an external party. During this breach, a hacker managed to infiltrate T-Mobile's internal network and compromised sensitive data belonging to over 79 million customers, including names, social security numbers, phone numbers, addresses, and driver's license information, which was later sold on the dark web. The lawsuit alleges that T-Mobile had failed to address known cybersecurity vulnerabilities and did not meet industry standards in cybersecurity practices, including the use of weak passwords. The breach was facilitated by the hacker's ability to guess password access to T-Mobile's internal databases due to insufficient network security measures, such as a lack of limits on authentication attempts. T-Mobile's monitoring systems were reportedly inadequate, failing to detect the threat actor until an outside source intervened. This breach was not the company's first; it had been subject to unauthorized access on five separate occasions from 2017 to mid-2022, yet continued to reassure customers about the security of their data. Moreover, the lawsuit claims that T-Mobile downplayed the seriousness of the breach and inadequately informed Washington residents, obstructing their ability to mitigate risks associated with identity theft or fraud, such as implementing security freezes. Washington AG Ferguson is seeking not only injunctive relief and restitution for affected individuals but also reimbursement for costs incurred, including attorney fees. For context, T-Mobile previously agreed to pay $350 million to settle a class action lawsuit over the same data breach incident. John Binns has been identified as the alleged perpetrator of the 2021 attack.
