Export Compliance Daily is a Warren News publication.
Security 'Awful'

T-Mobile 'Incapable' of Protecting Customers From Data Theft: Complaint

T-Mobile seems “incapable of adequately protecting the information it maintains from and about its customers,” said a 17-count class action Wednesday in U.S. District Court for Western Washington in Seattle (docket 2:23-cv-00211). It’s one of about a dozen complaints filed against T-Mobile since its most recent breach announcement Jan. 19.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Plaintiffs Jessica Bailey of Kentucky, Martye Benjamin of Florida, Fernando Garcia of Texas, Andres Gomez of Idaho, LaTresa Grantham of North Carolina and Mike Magbaleta of New Jersey noted the Nov. 25 data breach, discovered by T-Mobile Jan. 5, was the company's sixth breach in the past four years. On the day the carrier was in court seeking final approval of a $350 million settlement concerning a fall 2021 data breach, it announced the latest breach affecting 37 million customers, the complaint said.

The release and publication of private data is a “harbinger of identity theft,” said the complaint, saying the risk of identity theft quadruples for victims of a breach. “Grave consequences” of a breach, which can continue for years after the date of the event, include thieves opening new financial accounts, obtaining medical services and government benefits, and obtaining a driver’s license in victims’ names, forcing them to maintain at their expense “constant vigilance over the potential misuse of their information.”

The complaint noted the cybercriminal responsible for the 2021 data breach told The Wall Street Journal T-Mobile’s security is “awful.” He accessed customer information via an unprotected router exposed on the internet after scanning the carrier’s known internet addresses for weak spots “using a simple tool available to the public,” the article said.

Plaintiffs' claims include negligence, breach of express and implied contracts, breach of implied duty of good faith and fair dealing and unjust enrichment. The complaint also alleges violation of the Florida Deceptive and Unfair Trade Practices Act, the Idaho Consumer Protection Act, the Kentucky Computer Security Breach Notification Act, the Kentucky Consumer Protection Act, the New Jersey Customer Security Breach Disclosure and Consumer Fraud acts, the North Carolina Identity Theft Protection and Unfair Trade Practices acts, and the Texas Deceptive Trade Practices Act.

Plaintiffs seek actual and statutory damages, restitution and disgorgement; equitable, injunctive and declaratory relief, and legal costs, including experts’ and attorneys’ fees.