The US state of Washington has sued T-Mobile alleging that the phone giant failed to protect the personal data of millions of state residents. Before the August 2021 data breachwhich affected more than 79 million customers across the United States
in a statement In announcing the lawsuit, Washington Attorney General Bob Ferguson said T-Mobile “knew for years about certain cybersecurity vulnerabilities and did not do enough to address them.” Ferguson said the lawsuit seeks monetary damages under the state's consumer protection law and orders T-Mobile to improve its cybersecurity policies.
The August 2021 hack against T-Mobile was the latest in a series of data breaches at the company in recent years, with at least five security incidents dating back to 2018. By TechCrunch's calculations. The breach allowed hackers access to T-Mobile's systems and used customer names, dates of birth and Social Security numbers, as well as driver's license information. Some of the stolen T-Mobile customer data was later published on a known cybercriminal forum.
Ferguson accused T-Mobile of providing inadequate notice to affected customers after the breach that “left out important information and reduced the severity,” which Ferguson said affected customers' ability to assess their risk of identity theft or fraud.
“This significant data breach was entirely avoidable,” Ferguson was quoted as saying in the press release. “T-Mobile has had years to fix key vulnerabilities in its cybersecurity systems — and it has failed.”
D caseFiled in federal court in Seattle, There are significant revisions Specific technical details of the August 2021 hack are masked, but the complaint appears to detail alleged technical security flaws and internal company policies that made it easy for hackers to access and download customer data from T-Mobile's servers.
Unredacted excerpts note that the hacker discovered an “easily guessable username and password” targeting T-Mobile; that T-Mobile “used weak credentials” on accounts to access its internal systems; and that T-Mobile “allowed connections from the threat actor's IP address” from outside its network. The complaint also states that T-Mobile did not apply rate-limiting to any login attempts, allowing the hacker to freely test many credentials without locking out the employee accounts in question.
The lawsuit also says the company's “inadequate monitoring and alert configuration” made it easy for hackers to access T-Mobile's network without being noticed.
Ferguson's complaint added that T-Mobile's public statements misrepresented the adequacy of its cybersecurity protections and the threat to T-Mobile's customers' data found on the dark web, and said the company's conduct “had the potential to deceive a large number of consumers in Washington.”
A T-Mobile spokesman, when reached Monday, did not immediately comment on the lawsuit.