The Weekly Breach Breakdown Podcast by ITRC - T-Mobile in Trouble - S6E2

Show Transcript

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for January 17th, 2025. I’m Timothy Walden. Thanks to SentiLink for their support of the ITRC and this podcast. Each week on this podcast, we look at the most recent events and trends related to data security and privacy. Today, we’ll discuss the lawsuit against T-Mobile.

In a significant legal move, Washington State has filed a lawsuit against T-Mobile, alleging the telecommunications giant failed to secure the sensitive personal information of more than two million residents following a major data breach in 2021. This case highlights data security, consumer protection, and corporate accountability in an increasingly digital world.

The breach – one of five breaches over the past few years – began in March 2021 and went unnoticed for nearly six months until customer data was discovered on the dark web. During this time, malicious actors had brute-forced their way into T-Mobile’s corporate network, compromising the sensitive information of around 79 million individuals nationwide. The delayed discovery and inadequate response from T-Mobile raised serious concerns about the company’s cybersecurity practices.

Washington Attorney General Bob Ferguson has been vocal about the inadequacies in T-Mobile’s response to the breach. According to the AG’s announcement, the company “chose to play down the severity of the breach” and failed to provide timely notifications to affected individuals. Instead of clear communication, customers received vague text messages that omitted critical details about the breach and, in some cases, misled them regarding the incident’s seriousness. Those whose Social Security numbers were exposed were particularly mishandled, as they received no information about their compromised data.

This is not T-Mobile’s first incident; it follows a pattern of cyberattacks against T-Mobile. Despite previous breaches indicating that the company was a target for threat actors, Ferguson claims T-Mobile did not implement adequate security measures to defend against such threats. This alledged negligence culminated in yet another breach in 2024, where T-Mobile faced a compromise believed to be linked to Chinese state-sponsored threat actors known as “Salt Typhoon.” Fortunately, T-Mobile stated that no customer data was accessed during this occurrence.

The lawsuit against T-Mobile, filed in King County Superior Court, seeks several remedies. Primarily, it aims to compel T-Mobile to strengthen its cybersecurity practices to comply with established industry standards and improve transparency and customer communication during such incidents. Additionally, the legal action seeks civil penalties under the Washington State Consumer Protection Act, compensating affected customers who suffered damages due to the breach.

This case serves as an important reminder that all organizations need stronger cybersecurity measures and greater accountability. Consumers, too, must remain vigilant and demand transparency and protection from organizations entrusted with their information. Washington State’s action against T-Mobile could pave the way for more stringent regulations and corporate responsibility in data privacy, ensuring that similar incidents are less likely to occur in the future.

If you want to know more about how to protect your business or personal information, the lawsuit against T-Mobile, or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone or text, chat live on the web, or exchange emails during our regular business hours (6 a.m.-5 p.m. PT). Just visit idtheftcenter.org to get started.

Thanks to SentiLink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. We will return next week with another episode of the Weekly Breach Breakdown. I’m Tim Walden; until then, thanks for listening.