T-Mobile's 'Misleading' Data Breach Statements Ignore Harm: Class Action
T-Mobile’s “intentionally misleading public statements” about its “nearly annual” data breaches ignore the “serious harm” its security flaws cause customers, said a Tuesday class action (docket 2:23-cv-00142) in U.S District Court for Western Washington in Seattle. By our count, it's the seventh federal class action against T-Mobile since the carrier disclosed in a Jan. 19 8-K filing that bad actors were able to access 37 million current postpaid and prepaid customer accounts (see 2301230046).
“Worse,” the company’s efforts to downplay the seriousness of its data breaches “could convince Class members that they do not need to take steps to protect themselves,” the complaint said. T-Mobile’s misleading statements in an SEC filing and press release about its most recent data breach in November downplay the seriousness of the breach by saying the stolen personal identifiable information (PII) didn’t include Social Security numbers.
The class action, by California plaintiffs Tamara Ferguson of Lake Elsinore and Brian Heinz of West Sacramento, alleges that as “the target of many data breaches in the past, T-Mobile knew its systems were vulnerable to attack,” yet it failed to implement and maintain reasonable security procedures appropriate for securing millions of customers’ PII. The plaintiffs received notifications from T-Mobile after its most recent data breach, which occurred in November and T-Mobile discovered Jan. 5, that their PII was accessed without authorization, exfiltrated and/or stolen in the breach, the complaint said.
Consumers are injured every time their data is stolen and placed on the dark web, where stolen PII often ends up as hackers try to exploit the data, the complaint said. “Each data breach puts victims at risk of having their information uploaded to different dark web databases and viewed and used by different criminal actors,” the complaint said. The complaint quoted Justin Fier, Darktrace senior vice president, as saying the compromised information “could be weaponized” in “dozens” of ways. The “massive treasure trove of consumer profiles could be of use to everyone from nation-state hackers to criminal syndicates," said the security expert.
Criminals can use the PII “that T-Mobile lost” to target class members for imposter scams by pretending to be someone the victim can trust so they can steal data or money, the complaint said. “A scammer can more convincingly impersonate T-Mobile” if they have the victim’s account number or phone number, it said. Stolen data also exposes class members to an increased risk of SIM card swapping attacks, where malicious actors can open accounts, obtain medical treatments using the victim's health insurance and obtain government benefits in their names, it said.
After “almost yearly” data breaches over the past five years, T-Mobile knew its security systems “were utterly lacking,” yet it failed to implement reasonable security systems, the complaint said. Even if class members, pegged at 50 million-100 million T-Mobile customers, don’t fall victim to identity theft as a result of the November data breach, they will have to spend “significant time and money to continuously monitor their accounts and credit scores and diligently sift out phishing communications” to limit the potential adverse effects of the breach, it said.
Claiming negligence, unjust enrichment, breach of contract and breach of confidence, the class action seeks injunctive relief to ensure T-Mobile can’t continue to put its customers at risk. It also seeks compensatory and punitive damages or nominal damages as permitted by law, legal fees, plus free credit monitoring and identity theft protection for class members, the complaint said. T-Mobile didn't comment Wednesday.