T-Mobile 'Should Have Known' Data Breach Risks, Say 2 Class Actions
Attorneys worked the weekend racing to file the first two known class actions to hold T-Mobile accountable for the data breach that enabled bad actors to access the accounts of, by T-Mobile's own estimation, 37 million current postpaid and prepaid customer accounts. The first filings came with remarkable speed -- within days after T-Mobile disclosed the breach in a 8-K report Thursday at the SEC.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
T-Mobile “knew or should have known" its systems would be targeted by cybercriminals, alleged plaintiff Christine Cortazal in the first class action Saturday (docket 3:23-cv-1220) in U.S. District Court for Northern Florida in Pensacola. "In this era of frequent data security attacks and data breaches," especially in the tech industry, T-Mobile's "failures" leading to the data breach are "particularly egregious" because the data breach was "highly foreseeable," alleged plaintiff Jennifer Baughman in the second class action Sunday (docket 2:23-cv-477) in U.S. District Court for Central California in Los Angeles.
Both plaintiffs said T-Mobile informed them of the breach Friday. Aylstock Witkin of Pensacola filed both complaints, and was joined in the Los Angeles class action by Bradley/Grombacher of Westlake Village, California. T-Mobile’s disclosure Thursday said it discovered Jan. 5 that a bad actor or actors accessed its database through an application programming interface. T-Mobile didn’t comment Monday.
Despite the prevalence of public announcements of data breaches -- and its own previous experience as the target of a cyberattack resulting in the theft of 200 GB of data -- T-Mobile “neglected to adequately invest in security measures, despite its obligation to protect such information,” said Cortazal's complaint. T-Mobile didn't use “reasonable security procedures and practices appropriate to the nature of the sensitive, unencrypted information it was maintaining,” it said.
Based on the type of targeted attack, the “sophisticated criminal activity” and the type of personal identifiable information (PII) involved, “there is a strong probability that entire batches of stolen information have been placed, or will be placed,” on the dark web for sale and purchase by criminals for identity theft crimes, said Cortazal's complaint. Those crimes could include opening bank accounts in victims’ names to make purchases or to launder money, file false tax returns or file false unemployment claims, it said.
The fraudulent activity resulting from the data breach “may not become evident for years,” said Cortazal's complaint. That requires class members to “remain vigilant” and monitor financial accounts for many years to mitigate the risk of identity theft, it said. The required mitigation efforts will include contacting a credit bureau to place a fraud alert, reviewing credit reports, contacting companies to remove fraudulent charges, implementing a credit freeze and correcting credit reports, the complaint said.
Consumers are at “imminent risk of identity theft” due to T-Mobile’s “negligent” acts and omissions, alleged plaintiff Baughman in the weekend's second class action. The suit alleges negligence, unjust enrichment, breach of express and implied contract and invasion of privacy.
The breach “was reasonably foreseeable” due to T-Mobile’s size and its previous experience as the target of a cyberattack, said Baughman's complaint. The carrier “failed to heed industry warnings and alerts to provide adequate safeguards” and improperly safeguarded class members’ PII “in deviation of standard industry rules, regulations and practices” at the time of the data breach, the complaint alleged.
Baughman suffered actual injury from having her PII compromised as a result of the data breach, including damage to the value of her PII, its theft, violation of her privacy rights, and “imminent and impending injury arising from the increased risk of identity theft and fraud,” said the complaint. T-Mobile’s actions were “negligent” after customers entrusted their PII with the carrier, which “had a duty to exercise reasonable care” in protecting PII data from being compromised and disclosed to third parties, said the complaint.
Having suffered significant fear, anxiety and stress with her name and contact information “in the hands of criminals,” Baughman expects to spend “considerable time and/or money on an ongoing basis to try to mitigate harms" caused by the data breach, said her complaint. T-Mobile had a duty to “adequately and promptly disclose” that customers’ PII might have been compromised, how it was compromised and the type of data at risk so customers could act to “prevent, mitigate and repair” identity theft that might have occurred, said the complaint.
Baughman accused T-Mobile of “unjust enrichment” by receiving monetary payment for services, at least some of which should have been used for implementation of data security measures to protect customers data, said the complaint. She seeks injunctive relielf to prevent T-Mobile from engaging in wrongful conduct pertaining to its “misuse” of customers’ PII and its refusal to issue “prompt, complete” disclosures to customers about the breach. The complaint seeks to require T-Mobile to protect, including through encryption, “all data collection in its business in accordance with applicable regulations, industry standards and federal, state or local laws.”
Baughman's class action seeks to require T-Mobile to “delete, destroy and purge” the PII of plaintiffs unless the carrier can provide “reasonable justification for the retention and use of such information” when weighed against privacy interests, said Baughman's complaint. It also seeks to require T-Mobile to implement a comprehensive security program, engage independent third-party security auditors, do regular database scanning, and segment data through firewalls and access controls, “so that if one area of Defendant’s network is compromised, hackers cannot gain access to other portions” of its systems.