T-Mobile is under fire again over its 2021 data breach

T-Mobile is once again being sued by Washington state over the 2021 data breach which exposed sensitive information for over 79 million people, The Verge reports. The lawsuit filed on Monday alleges that T-Mobile had been aware of various security loopholes in its systems for years but didn’t take any action. As a result, a hacker managed to breach T-Mobile in March 2021 and was undetected until August of the same year when an “anonymous cybersecurity threat intelligence firm” told T-Mobile what was happening.

Beyond alleging that T-Mobile knew about these flaws and took inadequate action to fix them, Washington State Attorney General Bob Ferguson also claims T-Mobile’s notifications to customers affected by the breach were inadequate and misleading. The text messages were brief and didn’t reveal the full scope of the breach, only telling customers that debit and credit card information wasn’t exposed while failing to mention their social security numbers and other personally identifiable information were compromised.

The breach’s victims included two million Washington residents. Information from T-Mobile’s databases was later on the dark web for sale to the highest bidder. T-Mobile even supposedly hired a third party to buy exclusive access to the data.

In more than one sense, this isn’t T-Mobile’s first rodeo. The company was already sued by AG Ferguson over a decade ago over “deceptive” ads. It has also been the target of a breach since 2021 — specifically 2024 “Salt Typhoon” attacks on commercial telecommunications companies. T-Mobile claims that its systems and data weren’t impacted significantly.