T-Mobile Hit with Class Action Over ‘Massive’ Data Breach Reportedly Affecting 100M Customers [UPDATE]

T-Mobile US, Inc. was hit with a proposed class action on Thursday over a data breach announced just days earlier that reportedly affected over 100 million customers.

The 38-page case out of Georgia federal court alleges T-Mobile, the operator of the second-largest wireless network in the U.S., “betrayed the trust” of its customers by failing to adequately protect their personal information from unauthorized access.

According to the lawsuit, T-Mobile’s failure to implement proper security measures and protocols has caused customers’ personally identifiable information—including names, dates of birth, Social Security numbers, driver’s license and government ID information, addresses, phone numbers, International Mobile Equipment Identity (IMEI) numbers and account PINs—to be exposed to potentially nefarious actors sometime before August 15, 2021.

The case claims affected customers are now at a heightened risk of identity theft and fraud due to T-Mobile’s actions—or lack thereof. Per the suit, the defendant’s conduct “amounts to negligence and violates federal and state statutes.”

The Data Breach

According to the complaint, the first public report of the T-Mobile data breach came in the form of an August 15 article on Vice.com, which stated that a forum post claimed to be selling “a mountain of personal data.” While the post didn’t mention T-Mobile, the seller had reportedly told Vice that the data included the personal information of more than 100 million people obtained from T-Mobile servers. Moreover, the seller speculated that T-Mobile already knew about the breach because “we lost access to the backdoored servers,” according to Vice.

T-Mobile, after telling Vice that it was “actively investigating” the claims, reported in a press release the next day that it had “determined that unauthorized access to some T-Mobile data occurred,” the lawsuit relays. In an August 17 press release, T-Mobile acknowledged that the stolen data included the “first and last names, date of birth, SSN, and driver’s license/ID information” of roughly 7.8 million current customers and over 40 million former or prospective customers who had applied for credit with T-Mobile. The defendant added that approximately 850,000 active customers’ names, phone numbers and account PINs were also exposed and “some additional information from inactive prepaid accounts” was accessed through prepaid billing files.

Today, one day after the lawsuit was filed, T-Mobile added that customers’ phone numbers and IMEI and IMSI information, i.e., “the typical identifier numbers associated with a mobile phone,” were also compromised in the breach. The company went on to confirm that an additional 5.3 million customer accounts and 667,000 former customer accounts had been illegally accessed. More information about the incident can be found on T-Mobile’s website.

According to the lawsuit, there is “little question” that T-Mobile failed to come through on its promises regarding data security. Given that it appears T-Mobile found out about the “massive breach” when the hacker posted about it in an online forum, and not from proper maintenance of its systems, it’s likely that T-Mobile’s data security and protocols were not up to snuff, the case alleges.

“The fact that T-Mobile purports to have quickly located and closed the access point to the T-Mobile servers suggests that proper maintenance would have ameliorated the threat, that T-Mobile’s cybersecurity surveillance systems were lacking and subpar, and that T-Mobile was negligent in maintaining its systems and safeguarding Plaintiff’s and Class members’ [personally identifiable information],” the complaint summarizes.

The lawsuit seeks injunctive relief requiring T-Mobile to make changes to its cybersecurity systems and practices to protect customers’ data from further threats. It also requests that affected customers be compensated for damages stemming from the breach, including the publication of personally identifiable information, actual identity theft, out-of-pocket expenses associated with identity theft prevention, and “future costs in terms of time, effort, and money that will be expended as a result of the Data Breach for the remainder of the lives of Plaintiff and other members of the proposed class.”

“A cybercriminal, especially one with millions of records, can hold on to stolen information for years until the news of the theft has subsided, then steal a victim’s identity, credit, and bank accounts, resulting in thousands of dollars in losses and lost time and productivity,” the complaint explains. “Thus, Plaintiff and Class members must take additional steps to protect their identities. And Plaintiff and Class members must bear the burden and expense of identity and credit monitoring, and heightened vigilance for years to come.”

Who Does the Lawsuit Look to Cover?

The case proposes to cover anyone in the U.S. whose personal information was acquired or accessed by unauthorized individuals as a result of the T-Mobile breach announced on August 16, 2021.

How Do I Join the Lawsuit?

There’s typically nothing you need to do to join or be considered part of a class action lawsuit. If the case moves forward and settles, that’s when class members, i.e., those who fit the criteria mentioned above, should receive notice of the settlement and be able to file claims for whatever compensation the court deems appropriate.

For now, one of the best things to do is to stay informed. We’ll post any notable updates to this page, but keep in mind that it can sometimes take months or even years for a class action to be resolved.

You can also sign up for ClassAction.org’s free weekly newsletter to get information about class action cases and settlements sent straight to your inbox. Enter your email address here to sign up.