T-Mobile Massive Data Exfiltration Class Action

The complaint for this class action opens by quoting a Wired Magazine article entitled, “The T-Mobile Data Breach is One You Can’t Ignore.” The complaint for this class action opens by quoting it as saying, “Not all data breaches are created equal. None of them are good, but they do come in varying degrees of bad. … Still, a T-Mobile breach that hackers claim involved the data of 100 million people deserves your attention…” The complaint brings suit against T-Mobile USA, Inc. for this massive data breach.

Two classes have been defined for this action:

• The Nationwide Class is all US residents whose data was exfiltrated in the data breach.
• The California Class is all California residents whose data was exfiltrated in the data breach.

On the same day as the Wired article was published, T-Mobile announced its servers had been accessed by hackers using the name “@und0xxed.”

The hackers claimed the PII stolen included names, addresses, Social Security numbers, driver’s license information, dates of birth, and security PINs, the complaint alleges. For some customers, it says, the stolen information also included unique IMSI and IMEI numbers, which are embedded in mobile devices and can identify the devices and the SIM card that connects the device to a particular telephone number.

According to the Wired article, as quoted in the complaint, the T-Mobile data breach “offers potential buyers a blend of data that could be used to great effect” because “having [this PII] centralized streamlines the [identity theft process for criminals.” It also facilitates particular kinds of fraud: A “database that ties [names and phone numbers] together, along with identifying someone’s carrier and fixed address, makes it much easier to convince someone to click on a link that advertises, say, a special offer or upgrade for T-Mobile customers. And to do so en masse.”

Having IMEIs could also help “in a so-called SIM swap attack” that “could lead to account takeover concerns … since threat actors could access two-factor authentication or one-time passwords tied to other accounts … using a victim’s phone number.” The complaint alleges, “In fact, a previous T-Mobile data breach disclosed in February of this year—one of many it has suffered in the last few years—was used specifically to execute a SIM-swap attack.”

T-Mobile has had “many” data breaches before this, the complaint claims, so it therefore “knew its systems were vulnerable to attack. Yet it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft.”

The California Consumer Privacy Act ( CCPA), the complaint claims, “gives rise to a cause of action when insufficient security results in a breach.” Other causes of action in this case are common law negligence, breach of implied contract, and breach of contract, among other things.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy