[BreachExchange] T-Mobile hit with class-action lawsuits over data breach

Mon Aug 23 09:42:07 EDT 2021

https://www.foxbusiness.com/technology/t-mobile-hit-with-class-action-lawsuits-over-data-breach

T-Mobile has been hit with a pair of class-action lawsuits in Washington
federal court as the number of current and former customers impacted by a
cyberattack against the telecommunications giant grows.

One of the lawsuits, Espanoza v. T-Mobile USA, accuses T-Mobile of putting
plaintiffs and class-action members at "considerable risk" due to the
company's failure to adequately protect its customers as a result of
negligent conduct.

"Armed with the Private Information accessed in the Data Breach, data
thieves can commit a variety of crimes, including but not limited to
fraudulently applying for unemployment benefits, opening new financial
accounts in Class Members’ names, taking out loans in Class Members’ names,
using Class Members’ information to obtain government benefits (including
unemployment or COVID relief benefits), filing fraudulent tax returns using
Class Members’ information, obtaining driver’s licenses in Class Members’
names but with another person’s photograph and providing false information
to police during an arrest," the complaint states.

The other lawsuit, Durwalla v. T-Mobile USA, alleges victims have already
already spent as much as 1,000 hours addressing privacy concerns stemming
from the attack, including reviewing financial and credit statements for
evidence of unauthorized activity.

"T-Mobile knew its systems were vulnerable to attack. Yet it failed to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information to protect its customers’
personal information, yet again putting millions of customers at great risk
of scams and identity theft," the filing adds. "Its customers expected and
deserved better from the second largest wireless provider in the country."

Together, the suits seek a range of actions for violations of the
Washington Consumer Protection Act and the California Consumer Privacy Act,
including compensatory damages and reimbursement of out-of-pocket costs for
the efforts to repair any damage from the fraud.

Plaintiffs and class action members are also asking for injunctive relief,
such as improvements to T-Mobile's data security systems, future annual
audits, adequate credit monitoring services funded by the company, and an
order to prohibit T-Mobile from keeping personal data on a cloud-based
database.

T-Mobile previously reported that the breach compromised approximately 7.8
million current postpaid customer accounts and 40 million former or
prospective T-Mobile customers, stealing data including first and last
names, date of birth, Social Security numbers, and driver’s license/ID
information.

T-Mobile said in an update Friday that another 5.3 million current postpaid
customer accounts and 667,000 accounts of former T- Mobile customers have
also been identified as targets, with customer names, addresses, date of
births, phone numbers, IMEIs and IMSIs, the typical identifier numbers
associated with a mobile phone, illegally accessed.

T-Mobile continues to work "around the clock" on its investigation into the
cyberattack.

"Our investigation is ongoing and will continue for some time, but at this
point, we are confident that we have closed off the access and egress
points the bad actor used in the attack," the company noted.

In order to help its customers, the company is offering two years of free
identity protection services with McAfee’s ID Theft Protection Service to
any person who believes they may be affected and is recommending all
eligible customers sign up for Scam Shield's free scam-block protection. In
addition, approximately 850,000 active T-Mobile prepaid customer accounts
that were exposed have had their PINs reset.

T-Mobile emphasized that there is no indication that any customers'
financial information, credit card information, debit or other payment
information has been accessed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210823/ea2618fa/attachment.html>