Consumers file dual suits against the telecommunications giant.
T-Mobile is facing two class action lawsuits in Washington federal court concerning allegations that current and former customers were directly impacted by a cyberattack against the company. Public data shows that, In the U.S., T-Mobile has more than 104 million customers. It became the second largest telecommunications company, second only to Verizon after it merged with Sprint in 2018.
One of the lawsuits (Espanoza v. T-Mobile USA) claims the telecommunications company put plaintiffs and class action members “at considerable risk due to the company’s failure to adequately protect its customers as a result of negligent conduct.” The lawsuit contends, “Armed with the Private Information accessed in the Data Breach, data thieves can commit a variety of crimes, including but not limited to fraudulently applying for unemployment benefits, opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ information to obtain government benefits (including unemployment or COVID relief benefits), filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph and providing false information to police during an arrest.”
The other lawsuit (Durwalla v. T-Mobile USA) includes allegations that customers have already “spent as much as 1,000 hours addressing privacy concerns stemming from the attack, including reviewing financial and credit statements for evidence of unauthorized activity.” It states, “T-Mobile knew its systems were vulnerable to attack. Yet it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft.” The filing continues, “Its customers expected and deserved better from the second largest wireless provider in the country.”
Both lawsuits cite violations of the Washington Consumer Protection Act and the California Consumer Privacy Act and are seeking compensatory damages and reimbursement of out-of-pocket expenses. There is also a request for injunctive relief, including improvements to T-Mobile’s security protocols, yearly audits, credit monitoring, and an order to prevent the company from keeping personal data in a cloud-based database.
When the privacy breach was initially announced, T-Mobile warned that it affected approximately “7.8 million current postpaid customer accounts and 40 million former or prospective T-Mobile customers, stealing data including first and last names, date of birth, social security numbers, and driver’s license and ID information.”
“Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack,” the company stated, adding, “We’re relentlessly focused on taking care of our customers – that has not changed. We’ve been working around the clock to address this event and continue protecting you, which includes taking immediate steps to protect all individuals who may be at risk.”
In order to help its customers, the company is offering two years of free identity protection with McAfee’s ID Theft Protection Service.