Washington AG Sues T-Mobile Over 2021 Data Breach

WASHINGTON, Jan. 14, 2025 – The Office of the Attorney General for Washington State has filed a lawsuit against T-Mobile, accusing the company of negligence in a massive data breach.

The breach, which began in March 2021 and continued until Aug. 12, 2021, exposed sensitive information of over 79 million Americans, including 2 million Washington residents, according to the lawsuit filed in King County Superior Court.

Of those, 183,406 Washington state residents had their Social Security numbers compromised, the attorney general’s office stated in a press release.  Other data exposed included phone numbers, names, physical addresses and driver’s license information, among other personal data.

“This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems – and it failed,” Attorney General Bob Ferguson said Jan. 6, 2025, the day the lawsuit was filed.

The suit asserts that T-Mobile violated Washington’s Consumer Protection Act by failing to address known cybersecurity vulnerabilities, misleading customers about its ability to protect their data, and understating the breach's impact in notifications sent to consumers.

T-Mobile responded to the lawsuit in a statement to Broadband Breakfast, expressing surprise at the state’s decision to file the suit.

“We have had multiple conversations about this incident from 2021 with the Washington AG's office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit came as a surprise,” the company said. 

“While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers,” according to the company.

Details of the hack

“When it learned of the data breach, T-Mobile’s notification to affected consumers was inadequate in numerous ways,” the release noted. “Current customers received text messages that were brief, omitted critical and legally required information, and in some cases misled customers regarding the severity of the breach. Moreover, current customers whose Social Security numbers were exposed did not receive any information regarding that exposure.”

Before the 2021 hack, T-Mobile had witnessed “numerous cyberattacks” and knew it would continue to be a target as early as 2020 based on a U.S. Securities and Exchange filing, Fergusan said.

“For years prior to August 2021, T-Mobile did not meet industry standards for cybersecurity and knew about these vulnerabilities. These included insufficient processes for identifying and addressing security threats and a systemic lack of oversight. In some cases, T-Mobile used obvious passwords to protect accounts that had access to customers’ sensitive personal information. The 2021 breach was enabled, in part, when the hacker guessed obvious credentials to gain access to T-Mobile’s internal databases,” the release continued.

Ferguson’s lawsuit seeks civil penalties and restitution for the Washingtonians harmed. It also seeks injunctive relief to require improvements to T-Mobile’s cybersecurity policies and procedures, as well as increased transparency in communications about cybersecurity to its customers.

Assistant Attorneys General Mina Shahin, Kathleen Box, Bret Finkelstein, Gardner Reed, Paralegal Matt Hehemann, Legal Assistant Luis Oida and Investigator Steuart Markley are handling the case for Washington.