Status of Washington pursues T-Mobile for data breach affecting 79 million individuals

The Washington State pursues T-Mobile for a security breach in 2021 that exposed personal data of about 79 million people, including 2 million residents of Washington. The exposed data included social security numbers, phone numbers, physical addresses, unique IMEI numbers, and driver's license information.

The operator is accused of failing to follow security procedures against industrial cybercrime, which allowed the breach to remain unnoticed for four months...

T-Mobile Data Breach

The very phrase raises the question "what is it?" and in this case, it is the attack by which a hacker obtained personal data of around 79 million Americans.

The violation occurred in April 2021, but T-Mobile did not realize that it had happened until August of the same year when the hacker began to publish the data for sale.

The carrier first said they did not know if customer data had been obtained, then confirmed that it was the case – and not just for its own customers. At that time, it estimated that 47.8 million people were affected, but later admitted that it was 79 million.

A series of other breaches led to fines from the Federal Communications Commission (FCC) to the operator for $15.75 million and ordered her to spend the same amount on improving her security measures.

Washington State Pursues T-Mobile

Attorney General Bob Ferguson announced this week that he has filed a lawsuit against the company, arguing that the breach was "completely avoidable".

The complaint, filed before King County Superior Court, states that T-Mobile had known for years of certain data security vulnerabilities and did not do enough to address them. At the same time, T-Mobile falsely assured consumers that the company prioritizes protecting personal data it collects.

Ferguson's trial also accuses T-Mobile of not properly informing residents of Washington about the data breach, minimizing its gravity and sending notifications to affected consumers who did not disclose all the information that was compromised.

In summary, the procedure states that the massive data breach was a direct result of T-Mobile's lack of responsibility and failure to follow industry cybersecurity standards.

This important data leak could have been completely avoided," said Ferguson. "T-Mobile had years to correct the key vulnerabilities in its systems against cybercrime and failed to do so.

The complaint states that T-Mobile's security failures violated consumer protection laws.

Before August 2021, T-Mobile did not comply with industry cybersecurity standards and knew of these vulnerabilities. This included inadequate processes for identifying and addressing security threats and a systemic lack of supervision. In some cases, T-Mobile used obvious passwords to protect accounts that had access to sensitive client personal information. The 2021 leak was partly facilitated when the hacker appropriated obvious identifiers to access T-Mobile's internal databases.

Before 2021, T-Mobile had already been targeted by numerous cyber attacks. In reality, the statements submitted to the US Office of Inspector General in 2020 – a year before Ferguson's breach trial – show that T-Mobile knew it would always be a target.

Although knowing and not addressing these data security issues for many years, T-Mobile continued to deceive its customers by assuring them of their commitment to data security on their website: "We are here for you. We work constantly to protect you and your family and keep your data secure.

Ferguson's trial claims that these failures violated the Washington Consumer Protection Act. He asserts that the 2021 breach was the direct result of T-Mobile's lack of accountability.

Photo by Mateus Maia on Unsplas