T-Mobile hit with class-action lawsuits over data breach

T-Mobile has been hit with a pair of class-action lawsuits in Washington federal court as the number of current and former customers impacted by a cyberattack against the telecommunications giant grows.

One of the lawsuits, Espanoza v. T-Mobile USA, accuses T-Mobile of putting plaintiffs and class-action members at “considerable risk” due to the company’s failure to adequately protect its customers as a result of negligent conduct.

“Armed with the Private Information accessed in the Data Breach, data thieves can commit a variety of crimes, including but not limited to fraudulently applying for unemployment benefits, opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ information to obtain government benefits (including unemployment or COVID relief benefits), filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph and providing false information to police during an arrest,” the complaint states.

The other lawsuit, Durwalla v. T-Mobile USA, alleges victims have already already spent as much as 1,000 hours addressing privacy concerns stemming from the attack, including reviewing financial and credit statements for evidence of unauthorized activity.

“T-Mobile knew its systems were vulnerable to attack. Yet it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft,” the filing adds. “Its customers expected and deserved better from the second largest wireless provider in the country.”

Together, the suits seek a range of actions for violations of the Washington Consumer Protection Act and the California Consumer Privacy Act, including compensatory damages and reimbursement of out-of-pocket costs for the efforts to repair any damage from the fraud.

Plaintiffs and class action members are also asking for injunctive relief, such as improvements to T-Mobile’s data security systems, future annual audits, adequate credit monitoring services funded by the company, and an order to prohibit T-Mobile from keeping personal data on a cloud-based database.

T-Mobile previously reported that the breach compromised approximately 7.8 million current postpaid customer accounts and 40 million former or prospective T-Mobile customers, stealing data including first and last names, date of birth, Social Security numbers, and driver’s license/ID information.

T-Mobile said in an update Friday that another 5.3 million current postpaid customer accounts and 667,000 accounts of former T- Mobile customers have also been identified as targets, with customer names, addresses, date of births, phone numbers, IMEIs and IMSIs, the typical identifier numbers associated with a mobile phone, illegally accessed.

T-Mobile continues to work “around the clock” on its investigation into the cyberattack.

“Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack,” the company noted.

In order to help its customers, the company is offering two years of free identity protection services with McAfee’s ID Theft Protection Service to any person who believes they may be affected and is recommending all eligible customers sign up for Scam Shield’s free scam-block protection. In addition, approximately 850,000 active T-Mobile prepaid customer accounts that were exposed have had their PINs reset.

T-Mobile emphasized that there is no indication that any customers’ financial information, credit card information, debit or other payment information has been accessed.