Washington AG files lawsuit against T-Mobile over 2021 data breach

Washington State Attorney General Bob Ferguson has filed a lawsuit against T-Mobile, alleging inadequate cybersecurity measures and deceptive practices after a massive 2021 data breach. The breach, disclosed in August 2021, exposed the personal information of 76.6 million people, including over 2 million Washington residents, and has led to multiple legal and regulatory repercussions for the wireless carrier.

 

The lawsuit accuses T-Mobile of failing to address known system vulnerabilities, which Ferguson claims could have prevented the breach. “This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed,” Ferguson stated.

 

T-Mobile is also accused of misleading customers by asserting a commitment to protecting personal data while allegedly downplaying the breach’s severity. According to the lawsuit, the company failed to notify Washington residents promptly and omitted critical information in its customer notifications, including the compromise of Social Security numbers for 183,406 individuals.

 

The compromised data included names, addresses, phone numbers, driver’s license details, and other personal information. Despite prior data breaches, T-Mobile allegedly did not implement sufficient cybersecurity improvements, leaving its systems vulnerable.

 

The 2021 breach has already cost T-Mobile heavily. In 2022, the company agreed to a $350 million settlement to resolve a class-action lawsuit. In 2024, it paid a $15.75 million civil penalty to settle a Federal Communications Commission (FCC) investigation into the incident and other breaches.

 

The attack was claimed by John Binns, an American citizen living in Turkey, who is currently imprisoned in Turkey for unrelated cyberattacks. Other individuals, including a Canadian national and a U.S. Army soldier, were also arrested in connection to the breach.

 

The Attorney General’s Office seeks civil penalties, restitution for affected Washingtonians, and injunctive relief requiring T-Mobile to enhance its cybersecurity practices and improve transparency in incident communication.

In response, T-Mobile expressed surprise at the lawsuit, citing ongoing discussions with the AG’s office. “We have had multiple conversations about this incident from 2021 with the Washington AG’s office over the last several years and even reached out in late November to continue discussions,” the company said in a statement.

 

T-Mobile disagreed with the lawsuit’s approach and claims but reiterated its willingness to engage in further dialogue. It emphasized that it has transformed its cybersecurity framework over the past four years to safeguard customer data better.