Summarize this content to 2000 words in 6 paragraphs
A new lawsuit asserts that T-Mobile’s security failures violated Washington’s Consumer Protection Act. (BigStock Photo)
Washington Attorney General Bob Ferguson filed a consumer protection lawsuit against T-Mobile on Monday, claiming that the Bellevue, Wash.-based wireless carrier failed to adequately secure sensitive personal information of more than 2 million state residents.
The lawsuit, filed in King County Superior Court, stems from an August 2021 cyberattack in which a hacker gained access to the company’s internal network and exposed personal information of more than 79 million consumers nationwide.
Among 2,025,634 Washingtonians affected, 183,406 had their Social Security numbers compromised. Other data exposed included phone numbers, names, physical addresses and driver’s license information, among other personal data, according to the AG’s office.
The lawsuit asserts that T-Mobile knew for years about cybersecurity vulnerabilities and did not do enough to address them. The company also misrepresented to consumers how it prioritizes protecting the personal data it collects, according to the AG, and T-Mobile “failed to properly notify affected Washingtonians of the data breach, downplaying its severity and sending notices to affected consumers that did not disclose all the information that had been compromised.”
Washington state Attorney General Bob Ferguson. (GeekWire File Photo / Dan DeLong)
Ferguson, who is the governor-elect of Washington, called the data breach “entirely avoidable,” and said T-Mobile “had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”
In a statement to GeekWire, T-Mobile said it has had multiple conversations about the incident with the AG’s office over the last several years. The company said it also reached out in late November to continue discussions.
“The office’s decision to file a lawsuit [Monday] came as a surprise,” T-Mobile said. “While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC.”
The company said it also looks forward to sharing how it has “fundamentally transformed our approach to cybersecurity over the past four years to further protect our customers.”
In September, T-Mobile reached an agreement to pay $31.5 million in a data protection and cybersecurity settlement with the Federal Communications Commission, resolving that agency’s investigations into data breaches that impacted millions of U.S. consumers in 2021, 2022, and 2023.
The company said it would also address “foundational security flaws, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multi-factor authentication.”
Ferguson’s lawsuit asserts that T-Mobile’s security failures violated Washington’s Consumer Protection Act. The lawsuit seeks civil penalties and restitution for the Washingtonians harmed. It also seeks injunctive relief to require improvements to T-Mobile’s cybersecurity policies and procedures, as well as increased transparency in communications about cybersecurity to its customers.
