T-Mobile US Data Breach Announced in January 2023 Class Action

Given its enormous number of customers, T-Mobile US, Inc. stores a great deal of personally identifiable information (PII). The company has suffered yet another data breach that is estimated to affect around 37 million people and possibly even more, and the complaint for this class action alleges that the company bears responsibility for this.

Two classes have been defined for this action:

• The Nationwide Class for this action is all persons living in the US whose PII was compromised in the data breach announced by T-Mobile US in January 2023.
• The California Class is all persons living in California whose PII was compromised in the data breach announced by T-Mobile US in January 2023.

The company announced that its files had been accessed by an authorized party on or around January 20, 2023. The complaint quotes a USA Today story referring to a T-Mobile filing with the Securities and Exchange Commission: “T-Mobile said the hack was discovered on Jan. 5. The unidentified hacker (or hackers) obtained data starting around Nov. 25 through a single Application Programming Interface, the company said.”

The complaint alleges that some of the individual victims only learned that their data had been compromised when they saw new reports about it on around January 20, 2023.

“The number of individuals affected has been estimated [at] 37 million customers by [T-Mobile US],” the complaint alleges, “however, because [T-Mobile US] is one of the largest technology companies, the breach could have involved hundreds of millions of users.”

The complaint claims that, in this day and age, with so many data breaches occurring, in technology companies and others, the T-Mobile data breach “was highly foreseeable.” Other companies have reported extensive and high-profile data breaches in recent years. “In fact,” the complaint alleges, “earlier this year, [T-Mobile] was the target of a massive security breach orchestrated by the ransomware criminal enterprise ‘Lapsus$,’ which resulted in the theft of nearly 200GB of highly sensitive internal data.”

“Upon information and belief,” the complaint alleges, the PII stolen “was unencrypted and unredacted PII and was compromised due to [T-Mobile US’s] negligent and/or careless acts and omissions.”

T-Mobile has sufficient resources to invest in measures to prevent such data breaches, the complaint contends, but it does not do so. “Accordingly,” the complaint claims, T-Mobile “breached its common law, statutory, and other duties owed to Plaintiff and Class Members.”

The complaint lists measures that it claims T-Mobile US should have taken to protect the information, such as maintaining “a secure firewall configuration” and “appropriate design, systems, and controls to limit user access” and monitoring such things as “suspicious or irregular traffic to servers” and “server requests for PII.”

It also claims T-Mobile US did not comply with the guidelines set forth in a Federal Trade Commission publication called “Protecting Personal Information: A Guide for Business.” The complaint thus holds T-Mobile responsible for the data breach and the risks it poses to its customers.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy