Data Breach Victim Sues T-Mobile After Fraudsters Try to Open Accounts in His Name
A T-Mobile customer’s risk of identity theft arising from the carrier’s 2021 data breach “materialized” in several instances of fraud over the past two years, alleged a negligence complaint Wednesday (docket 8:24-cv-01303) in U.S. District Court for Middle Florida in Tampa.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Daniel Saleh of Hillsborough County, Florida, alleges his personally identifiable information (PII) was stolen in the “massive” 2021 T-Mobile data breach that affected over 100 million then-current and former customers. T-Mobile informed data breach victims that stolen PII included phone numbers, dates of birth, driver’s license information and Social Security numbers, the complaint said.
Saleh since has received several notices of attempts to open accounts in his name, alleged the complaint. In November 2022, Bank of America notified Saleh that a new account had been opened in his name. When Saleh went to a nearby Bank of America location to investigate, a representative looked up the account and said Saleh’s phone number didn’t match the account. After spending several hours in person and with the bank’s fraud department on the phone, Saleh “was unable to have the account closed,” and he believes the account remains open, the complaint said.
In December 2022, Saleh received a letter from PayPal telling him his credit card application was denied, said the complaint, and the following September, he received a similar letter from Ford, denying credit. The plaintiff has also observed credit inquiries on his credit reports from Equifax, Trans Union and Experian since October, showing two credit applications submitted in his name to JPMorgan Chase, it said. Saleh hadn’t applied for credit in any of those instances and attributed all of them to the T-Mobile data breach.
The plaintiff has “refrained from submitting credit applications out of sheer fear that he will be denied due to the repercussions of the identity theft,” said the complaint. Saleh attributed all the fraudulent attempts to open accounts in his name to the theft of his PII during the T-Mobile breach, alleging the PII was then sold to cyberthieves.
If T-Mobile had had adequate procedures in place to protect its customers’ PII, the fraudsters would not have been able to apply for credit in his name, said the complaint. Saleh will continue to have to spend a “significant amount of time” responding to the effects of the breach, and he remains in “imminent, immediate, and continuing increased risk of harm from fraud and identity theft,” it said.
Saleh may continue to incur out-of-pocket costs for protective measures such as credit monitoring fees, credit report fees, credit freeze fees, and similar costs “directly or indirectly related” to the T-Mobile data breach, the complaint said. He has also suffered a loss of value of his PII when it was stolen by cyberthieves; numerous courts “have recognized the propriety of loss of value damages in related cases,” said the complaint.
In addition to negligence and negligence per se, Salah asserts claims of breach of implied contract and violation of Florida’s Deceptive and Unfair Trade Practices Act. He requests awards of actual, nominal, punitive and consequential damages; attorneys’ fees and costs; and injunctive relief. T-Mobile didn't comment Thursday.