Washington State Sues T-Mobile Over its Cybersecurity Failures

T-Mobile faces a lawsuit from Washington State for alleged cybersecurity failures that led to a data breach compromising over 2 million state residents’ sensitive information, writes Suzanne Smalley in The Record.

The breach exposed personal data, including Social Security numbers, driver’s license details, and physical addresses, increasing their risk of identity theft and fraud. The suit claims T-Mobile was aware of its vulnerabilities but failed to act and misled customers about its commitment to data security.

The 2021 data breach impacted 79 million customers nationwide, including over 2 million in Washington State. It allegedly resulted from poor security measures, including “obvious” passwords and insufficient threat monitoring. T-Mobile only learned of the breach when outsiders reported that customer data was for sale on the dark web.

The incident followed years of warnings, including statements in SEC filings, highlighting the company’s ongoing vulnerability to cyberattacks. In a related settlement with the FCC in 2023, T-Mobile paid $31.5 million and committed to adopting stronger security media, such as zero-trust architecture and multi-factor authentication.

The Washington lawsuit alleges that T-Mobile failed to address well-documented cybersecurity failures, leading to a preventable breach. Customers were allegedly misled about the extent of the breach and its risks, with some receiving misleading or incomplete notifications about the exposure of their Social Security numbers. It seeks civil penalties.

Legal departments and law firms advising corporate clients should emphasize the need for contractual clauses requiring vendors to document and report data breaches transparently.

Additionally, it is critical to quantify and document actual damages caused by vendor breaches to facilitate legal recourse. Proactive measures, such as reviewing cybersecurity compliance and breach response protocols, can mitigate liability and protect client interests.