Washington Sues T-Mobile Over 2021 Data Breach

Washington State Sues T-Mobile Over 2021 Data Breach

The state of Washington has initiated legal action against T-Mobile, alleging a failure to adequately protect the personal information of its residents. This lawsuit stems from a data breach that occurred in August 2021, ultimately impacting over 79 million customers nationwide.

Allegations of Negligence

According to a statement released by Washington Attorney General Bob Ferguson, T-Mobile was aware of existing cybersecurity vulnerabilities for several years but did not take sufficient steps to mitigate them. The suit aims to secure financial penalties under state consumer protection laws and mandate improvements to T-Mobile’s cybersecurity protocols.

History of Security Incidents

The August 2021 breach represents the latest in a series of security incidents at T-Mobile, with at least five reported since 2018. A hacker successfully gained access to T-Mobile’s systems and extracted sensitive customer data.

Data Compromised

The compromised data included customer names, dates of birth, Social Security numbers, and driver’s license information. Subsequently, portions of this stolen data appeared on a known forum frequented by cybercriminals.

Inadequate Customer Notification

Ferguson further contends that T-Mobile’s notification to affected customers was insufficient, omitting crucial details and minimizing the severity of the breach. This, he argues, hindered consumers’ ability to accurately assess their risk of identity theft and potential fraud.

Avoidable Breach

“This data breach was entirely preventable,” Ferguson stated. “T-Mobile possessed ample time to address critical weaknesses in its cybersecurity infrastructure, yet failed to do so.”

Details from the Lawsuit

The lawsuit, filed in federal court in Seattle, contains redactions obscuring specific technical aspects of the hack. However, the complaint outlines alleged technical deficiencies and internal policies that potentially facilitated the hacker’s access to and download of customer data.

Security Weaknesses Exploited

The unredacted portions of the complaint reveal that the hacker utilized an “easily guessable username and password.” Furthermore, T-Mobile reportedly employed “weak credentials” for accessing internal systems and permitted connections from the attacker’s IP address, despite it originating from outside the network.

Lack of Rate Limiting

The suit also highlights the absence of rate-limiting on login attempts, enabling the hacker to test numerous credentials without triggering account locks.

Insufficient Monitoring

T-Mobile’s “inadequate monitoring and alerting configuration” is cited as contributing to the hacker’s ability to access the network undetected.

Misleading Public Statements

Ferguson’s complaint alleges that T-Mobile misrepresented the strength of its cybersecurity defenses and downplayed the threat to customer data circulating on the dark web. This conduct, it is claimed, had the potential to mislead a significant number of Washington consumers.

T-Mobile's Response

Prior to publication, T-Mobile declined to comment. Following the story’s release, T-Mobile spokesperson Michelle Jacob issued a statement expressing “surprise” at the lawsuit.

Seeking Resolution

“While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC,” the statement concluded.