Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The US state of Washington is suing T-Mobile over claims the phone giant failed to protect the personal data of millions of state residents. Before the August 2021 data breachIt affected more than 79 million customers in the United States.
In statement In announcing the lawsuit, Washington Attorney General Bob Ferguson said T-Mobile “has known for years about certain cybersecurity vulnerabilities and has not done enough to address them.” Ferguson said the lawsuit seeks financial damages under the state’s consumer protection laws and ordered T-Mobile to improve its cybersecurity policies.
The August 2021 hack against T-Mobile was the latest in a series of data breaches at the company in recent years, with at least five security incidents dating back to 2018. According to TechCrunch estimates. The breach gave the hacker access to T-Mobile’s systems and compromised customer names, dates of birth and Social Security numbers, as well as driver’s license information. Some of the stolen T-Mobile customer data was later posted on a known cybercriminal forum.
Ferguson accused T-Mobile of providing inadequate notice to affected customers after the breach that “left out critical information and downplayed the severity,” which Ferguson said affected consumers’ ability to assess the risk of identity theft or fraud.
“This significant data breach was completely preventable,” Ferguson said in a press release. “T-Mobile has had years to fix key vulnerabilities in its cybersecurity systems — and it has failed.”
The claimfiled in federal court in Seattle, contained significant edits August 2021 withholds specific technical details of the hack, but the complaint details alleged technical security flaws and internal company policies that made it easier for the hacker to access and download customer data from T-Mobile’s servers.
Unredacted excerpts note that the hacker targeting T-Mobile discovered an “easily guessed username and password”; T-Mobile “used weak credentials” on accounts to access its internal systems; and T-Mobile “allowed connections from the threat actor’s IP address” from outside its network. The complaint also states that T-Mobile did not apply a rate limit on any login attempts, allowing the hacker to freely test as many credentials as possible without locking out the employee accounts in question.
The suit also alleges that the company’s “inadequate monitoring and alert configuration” made it easy for a hacker to gain access to T-Mobile’s network without them noticing.
Ferguson’s complaint adds that T-Mobile’s public statements misrepresent the adequacy of its cybersecurity defenses and threats to T-Mobile customers’ information found on the dark web, and that the company’s conduct “has the potential to deceive a significant number of consumers from Washington, D.C.” “
A spokesperson for T-Mobile, reached Monday, did not immediately comment on the lawsuit.
