A recent lawsuit has been filed against T-Mobile, alleging that the telecommunications giant has failed to rectify ongoing cybersecurity vulnerabilities that contributed to a substantial data breach affecting millions of Americans. The action, initiated by the Office of the Attorney General in Washington State, claims that T-Mobile violated the state’s Consumer Protection Act by misleading consumers about its data protection capabilities, despite having prior knowledge of significant gaps in its cybersecurity framework.
Attorney General Bob Ferguson asserts that T-Mobile not only concealed the full extent of the breach from its customers but also downplayed its impact when issuing notifications about the incident. “This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems – and it failed,” he emphasized.
The lawsuit reveals that T-Mobile acknowledged a cybersecurity breach in August 2021, which compromised the personal data of over 79 million Americans, including sensitive information such as phone numbers, names, addresses, and driver’s license records. Among those affected were 2,025,634 residents of Washington State, with 183,406 customers suffering exposure of their Social Security numbers.
According to court documents, T-Mobile was unaware of the breach for several months, only learning of it after receiving a tip that their customers’ data was being sold on the dark web. The breach began in March 2021 and lasted until August 12, 2021. The lawsuit argues that the company did not have sufficient security monitoring in place, enabling the breach to go undetected until an external source alerted them to the sale of customer data online.
Furthermore, Attorney General Ferguson notes that T-Mobile had been subject to “numerous cyberattacks” prior to the 2021 breach and had been warned as early as 2020 about its ongoing vulnerability status, as documented in a U.S. Securities and Exchange Commission (SEC) filing. Despite these warnings, T-Mobile continued to assure customers that their data was secure while reportedly employing weak, easily guessed passwords, which facilitated unauthorized access to its internal systems. “The 2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile’s internal databases,” Ferguson stated.
The attorney general also criticizes T-Mobile for omitting critical legal information in their breach notifications, particularly about the exposure of Social Security numbers. “Current customers whose Social Security numbers were exposed did not receive any information regarding that exposure,” he pointed out.
Ferguson has called for civil penalties against T-Mobile and seeks restitution for Washington residents affected by the breach. He is also advocating for injunctive relief to compel T-Mobile to strengthen its cybersecurity measures and enhance transparency in its communication with customers.
This situation illustrates the continued risks faced by large corporations in managing sensitive customer data, particularly in light of increasing cyber threats. The tactics potentially employed in this incident could align with those outlined in the MITRE ATT&CK framework, including initial access gained through credential dumping and exploitation of known vulnerabilities, which could have led to persistent access and privilege escalation for the attackers.
