Consolidated Data Breach Class Action Hits T-Mobile Hard for ‘Lax Security Practices’

T-Mobile “collects and retains vast troves” of personal information from its customers, and profits from that data “through its own marketing efforts, as well as by selling sensitive consumer information to third parties,” said the consolidated consumer class action complaint Friday (docket 4:23-md-03073) in U.S. District Court for Western Missouri in Kansas City filed by 38 plaintiffs who allege they were victimized in T-Mobile’s 2022 data breach (see 2306050001). T-Mobile understands “it has an enormous responsibility to protect the data it has collected,” said the complaint. But T-Mobile “completely failed to meet its obligations, yet again, to protect the sensitive consumer data of its customers,” it said. Instead, even after experiencing one of the largest and "most consequential" data breaches in U.S. history in August 2021, T-Mobile has once again suffered a massive data breach -- at least its eighth since 2017 -- which compromised the highly sensitive personal information of about 37 million consumers, it said. The 38 plaintiffs are current and former T-Mobile customers who had their personally identifiable information (PII) “exfiltrated and compromised” in the data breach that T-Mobile announced Jan. 19. 2023, said the complaint. The plaintiffs “place significant value in the security of their PII,” it said. They entrusted their sensitive PII to T-Mobile “with the understanding that T-Mobile would keep their information secure and employ reasonable and adequate security measures to ensure their information would not be compromised,” it said. Had the plaintiffs known of T-Mobile’s “lax security practices,” they wouldn’t have done business with T-Mobile, nor would they have applied for T-Mobile’s services or purchased its products, it said.