Communications Litigation Today was a Warren News publication.
'System Glitch'

T-Mobile 'Deliberately Underplayed' Severity of Latest Data Breach: Class Action

June 12, 2023 by Rebecca Day|Top News

T-Mobile, whose network has experienced several data breaches over the past few years, “deliberately underplayed” the severity and “obfuscated the nature of” its most recent breach, Feb. 24-March 27, alleged a class action (docket 4:23-cv-00393) Thursday in U.S. District Court for Western Missouri in Kansas City. Though the breach began on Feb. 24, T-Mobile only became aware of “suspicious activity” on its network on March 27; it stopped the intrusion three days later, said the complaint. The carrier notified the public on April 28.

The Thursday complaint is unrelated to the 16 class actions that the Judicial Panel on Multidistrict Litigation just transferred to the Western District of Missouri for pretrial consolidation under U.S. District Judge Brian Wimes in Kansas City (see 2306050001).

When T-Mobile announced the latest data breach, it “largely put the burden of a fraud alert on victims” said plaintiff Waleed Lashin, a New Jersey resident, saying T-Mobile maintained customers’ personally identifiable information (PII) in a “reckless” manner. The breach notice didn’t explain which security weakness was compromised in the breach, which and to what extent individuals were affected and who perpetrated the breach, the complaint said.

Lashin received the breach letter notice around the beginning of May, Lashin said. Just after the breach, he experienced a large increase in spam and “suspicious” phone calls, texts and emails, the complaint said. He received a two-factor authentication message from PayPal for a login he didn’t make or authorize, the complaint said. On Feb. 28, his cell phone lost service, and he received an email from T-Mobile that he had canceled his internet account. An hour later, he began receiving notices that the cryptocurrency in his Coinbase account was being converted into bitcoin and the cash was being transferred out of the account, the complaint said. The cash and cryptocurrency account loss was $13,000, he said.

A T-Mobile customer service rep recovered ownership of his eSim and told him the service outage and loss of service were due to a system glitch, said the complaint. T-Mobile “falsely represented” to Lashin that the loss of cellular service was due to a “'system glitch’ when in fact it was due to a T-Mobile system compromise,” it said. He was also told a prepaid phone line, one he didn’t authorize, was added to his account. The carrier informed Lashin on March 3 that a one-time PIN was issued on Feb. 28, just before his phone was hacked, it said. On March 11, Lashin’s wife’s T-Mobile phone also lost coverage, and she also experienced fraudulent activity on her phone line.

After his wife’s compromise, Lashin switched carriers; on May 4, T-Mobile sent him a notice letter about the breach. Lashin has spent time and money on obtaining identity protection programs and remains concerned that the financial and emotional tolls from the data breach will continue.

Lashin’s complaint claims negligence, unjust enrichment and breach of implied contract. He seeks a mandatory injunction directing T-Mobile to “adequately safeguard” his and class members’ PII by implementing improved security procedures and measures; to provide notice to each member about the full nature and extent of the breach; to enjoin it from further “deceptive practices and making untrue statements” about the breach; an award of actual, nominal, consequential and punitive damages; and attorney’s fees and legal costs. T-Mobile didn't comment.