WA sues T-Mobile over data breach impacting 2M residents

Washington Attorney General Bob Ferguson has filed a consumer protection lawsuit against T-Mobile, alleging the company failed to adequately secure sensitive personal information, leading to a data breach that affected more than 2 million residents in the state. The lawsuit, submitted to King County Superior Court, claims T-Mobile was aware of cybersecurity vulnerabilities for years but did not take sufficient action to address them.

The breach, discovered in August 2021, exposed the personal information of over 79 million consumers nationwide, including 2,025,634 Washingtonians. Among those affected, 183,406 had their Social Security numbers compromised. Other exposed data included phone numbers, names, physical addresses, and driver’s license information.

"This significant data breach was entirely avoidable," Ferguson stated. "T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed."

According to the lawsuit, the breach began in March 2021 and continued until August 12, 2021. T-Mobile was reportedly unaware of the breach until an anonymous source informed the company that customer data was being sold on the dark web. The lawsuit also claims T-Mobile's notifications to affected consumers were inadequate, lacking critical information and downplaying the severity of the breach.

The lawsuit further alleges that T-Mobile did not meet industry standards for cybersecurity, using insufficient processes for identifying and addressing security threats. In some instances, the company reportedly used obvious passwords to protect accounts with access to sensitive customer information. The breach was partially enabled when a hacker guessed these credentials to access T-Mobile’s internal databases.

Despite previous cyberattacks and filings with the federal Securities and Exchange Commission in 2020 indicating awareness of ongoing threats, T-Mobile allegedly continued to misrepresent its commitment to cybersecurity. The company publicly claimed, "We’ve got your back. We’re always working to protect you and your family and keep your data secure."

Ferguson’s lawsuit asserts that these failures violated Washington’s Consumer Protection Act and seeks civil penalties and restitution for affected Washingtonians. It also calls for injunctive relief to improve T-Mobile’s cybersecurity policies and procedures and increase transparency in customer communications regarding cybersecurity.

T-Mobile in a statement to FOX 13 Seattle said it has had multiple conversations with the Washington AG's office in the last several years:

"We have had multiple conversations about this incident from 2021 with the Washington AG's office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit today came as a surprise. While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers."

MORE NEWS FROM FOX 13 SEATTLE

Orca Tahlequah seen pushing second dead calf in WA waters

Good Samaritan saves mom after road rage gun incident in Hoquiam, WA

Our favorite winter day trips from Seattle

Here's when you'll need REAL ID to go through US airport security

New restaurants coming to Seattle in 2025

To get the best local news, weather and sports in Seattle for free, sign up for the daily FOX Seattle Newsletter.

Download the free FOX LOCAL app for mobile in the Apple App Store or Google Play Store for live Seattle news, top stories, weather updates and more local and national coverage, plus 24/7 streaming coverage from across the nation.

T-MobileWashingtonConsumer