T-Mobile hit with class-action lawsuits over data breach

A T-Mobile retail store on August 18, 2021 in Arlington, Virginia. T-Mobile announced Wednesday that a data breach exposed the personal information of 7.8 million current customers and 40 million people who had applied for credit. (Photo by Chip Somo

T-Mobile has been hit with a pair of class-action lawsuits in Washington federal court as the number of current and former customers impacted by a cyberattack against the telecommunications giant grows. One of the lawsuits, Espanoza v. T-Mobile USA, accuses T-Mobile of putting plaintiffs and class-action members at "considerable risk" due to the company's failure to adequately protect its customers as a result of negligent conduct.

"Armed with the Private Information accessed in the Data Breach, data thieves can commit a variety of crimes, including but not limited to fraudulently applying for unemployment benefits, opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ information to obtain government benefits (including unemployment or COVID relief benefits), filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph and providing false information to police during an arrest," the complaint states. 

The other lawsuit, Durwalla v. T-Mobile USA, alleges victims have already already spent as much as 1,000 hours addressing privacy concerns stemming from the attack, including reviewing financial and credit statements for evidence of unauthorized activity.

RELATED: T-Mobile data breach: More than 40 million customers exposed

"T-Mobile knew its systems were vulnerable to attack. Yet it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft," the filing adds. "Its customers expected and deserved better from the second largest wireless provider in the country."

Together, the suits seek a range of actions for violations of the Washington Consumer Protection Act and the California Consumer Privacy Act, including compensatory damages and reimbursement of out-of-pocket costs for the efforts to repair any damage from the fraud.

Plaintiffs and class action members are also asking for injunctive relief, such as improvements to T-Mobile's data security systems, future annual audits, adequate credit monitoring services funded by the company, and an order to prohibit T-Mobile from keeping personal data on a cloud-based database.

T-Mobile previously reported that the breach compromised approximately 7.8 million current postpaid customer accounts and 40 million former or prospective T-Mobile customers, stealing data including first and last names, date of birth, Social Security numbers, and driver’s license/ID information.

T-Mobile said in an update Friday that another 5.3 million current postpaid customer accounts and 667,000 accounts of former T- Mobile customers have also been identified as targets, with customer names, addresses, date of births, phone numbers, IMEIs and IMSIs, the typical identifier numbers associated with a mobile phone, illegally accessed.