The U.S. state of Washington has sued T-Mobile over allegations the phone giant failed to secure the personal data of millions of state residents prior to an August 2021 data breach, which went on to affect more than 79 million customers across the United States.
In a statement announcing the lawsuit, Washington attorney general Bob Ferguson said T-Mobile “knew for years about certain cybersecurity vulnerabilities and did not do enough to address them.” Ferguson said the suit seeks financial damages under the state’s consumer protection laws and to order T-Mobile to improve its cybersecurity policies.
The hack against T-Mobile in August 2021 was the latest in a series of data breaches at the company over recent years, with at least five security incidents dating back to 2018 by TechCrunch’s count. The breach allowed a hacker access to T-Mobile’s systems and exfiltrated customer names, dates of birth, and Social Security numbers, as well as driver’s license information. Some of the stolen T-Mobile customer data was subsequently published on a known cybercriminal forum.
Ferguson accused T-Mobile of providing inadequate notice to affected customers following the breach that “omitted critical information and downplayed the severity,” which Ferguson said affected the ability of consumers to assess their risk of identity theft or fraud.
“This significant data breach was entirely avoidable,“ Ferguson was quoted as saying in the press release. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”
The lawsuit, filed in a Seattle federal court, contained significant redactions masking specific technical details of the August 2021 hack, but the complaint appears to detail alleged technical security deficiencies and internal company policies that may have made it easier for the hacker to access and download customer data from T-Mobile’s servers.
The unredacted portions note that the hacker targeting T-Mobile discovered an “easily guessable username and password”; that T-Mobile “used weak credentials” on accounts for accessing its internal systems; and that T-Mobile “allowed the connection from the threat actor’s IP address” from outside its network. The complaint also says T-Mobile did not implement rate-limiting on any login attempts, allowing the hacker to freely test as many credentials without locking the employee accounts in question.
The suit also says the company’s “inadequate monitoring and alerting configuration” made it easier for the hacker to access T-Mobile’s network without being noticed.
Ferguson’s complaint adds that T-Mobile’s public statements misrepresented the adequacy of its cybersecurity defenses and the threat to T-Mobile’s customers’ data found on the dark web, and said the company’s conduct “had the capacity to deceive a substantial number of Washington consumers.”
A spokesperson for T-Mobile, when reached Monday, did not immediately comment on the lawsuit.