Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
66,406
35,501


T-Mobile has been sued a second time over a 2021 data breach that impacted 80 million T-Mobile users. The consumer protection lawsuit comes from Washington State Attorney General Bob Ferguson, who says that T-Mobile had years to "fix key vulnerabilities" that could have prevented the data breach.

T-Mobile-Generic-Feature-Pink-1.jpg

According to Ferguson, T-Mobile knew that its systems had certain cybersecurity vulnerabilities, and the company did not do enough to address them. T-Mobile is also accused of misleading customers about its security practices, not notifying Washingtonians of the data breach in a timely matter, and downplaying the severity of the breach.
For years prior to August 2021, T-Mobile did not meet industry standards for cybersecurity and knew about these vulnerabilities. These included insufficient processes for identifying and addressing security threats and a systemic lack of oversight. In some cases, T-Mobile used obvious passwords to protect accounts that had access to customers' sensitive personal information. The 2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile's internal databases.
T-Mobile's systems were breached in March 2021, but T-Mobile did not learn of the attack until August 2021. Hackers were able to obtain names, phone numbers, addresses, birth dates, social security numbers, driver's license and ID info, IMEI numbers, and IMSI numbers from T-Mobile customers, and that data was sold.

The hacker behind the attack said that T-Mobile's security was "awful" and that the breach occurred when an unprotected T-Mobile router was discovered, which led to access of T-Mobile's Washington data center.

T-Mobile apologized for the data breach and promised to prevent a future attack by establishing long-term partnerships with cybersecurity experts.

The lawsuit is seeking restitution for Washingtonians that were harmed in the data breach, along with injunctive relief to require improvements to T-Mobile's cybersecurity practices.

T-Mobile already paid $350 million to settle a class action lawsuit over the data breach in 2022, and it was fined $60 million by the Committee on Foreign Investment in the US (CFIUS) for failing to prevent or disclose unauthorized access to sensitive customer data.

Article Link: T-Mobile Facing Another Lawsuit Over 2021 Data Breach
 
WHY does it take almost 3.5 years for this? it's not that the state AG learned about it last year ...
Washington state's huge budget deficit probably has something to do with it. It's been looking for dollars in all the wrong places.

 
I would love to hear from a lawyer on here about the legal theory of how an AG can raise this suit for a population that already received a settlement from the company (T-mobile) for the misdeed in question. This feels a little like double jeopardy.

I'm sure there are 49 other AG's watching this closely to see if they can get additional settlement money from T-mobile as well.
 
Why do they need social security and driver’s license numbers?!?
Social security number is needed to run a credit check since T-Mobile is basically extended credit to you when they provide post-paid mobile service, discounted or free mobile phones, etc.

How else are they going to get their money back if a customer fails to pay for service and runs off with a bunch of free iPhone 16 Pro's?

iphone16.png
 
Social security number is needed to run a credit check since T-Mobile is basically extended credit to you when they provide post-paid mobile service, discounted or free mobile phones, etc.

How else are they going to get their money back if a customer fails to pay for service and runs off with a bunch of free iPhone 16 Pro's?

View attachment 2470533
I use credit to purchase a lot of other goods and services costing a lot more money and never have to give up my SSN or driver’s license.
 
I use credit to purchase a lot of other goods and services costing a lot more money and never have to give up my SSN or driver’s license.
You certainly gave your SSN when you applied for those lines of credit.

And your bank would verify your license/ID if you walked in and asked to update your physical address. (Which people walk into T-Mobile stores all the time to do)
 
You certainly gave your SSN when you applied for those lines of credit.

And your bank would verify your license/ID if you walked in and asked to update your physical address. (Which people walk into T-Mobile stores all the time to do)
But my bank hasn’t been hacked multiple times. Or ever for that matter.

And you’re comparing apples and oranges. A bank giving out money for me as credit is a completely different entity than a phone company taking that money.
 
Last edited:
But my bank hasn’t been hacked multiple times. Or ever for that matter.

And you’re comparing apples and oranges. A bank giving out money for me as credit is a completely different entity than a phone company taking that money.

I have no idea who your bank is, but yeah those get hacked all the time as well: https://www.upguard.com/blog/biggest-data-breaches-financial-services

The phone company is extending a service to you with your commitment to pay after you receive it. They are taking on a liability when doing such - like extending you a line of credit.

If you don't want to give your SSN because you are taking upon a financial obligation, then you can get pre-paid service.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.