T-Mobile is being sued over its 2021 data breach… again

Data breaches are an unfortunate part of the digital interconnected era that we live in. But, whose fault is it really? Sometimes it’s no one’s fault. Sometimes the hackers are just that good. Other times, it might be the company’s fault, which is why T-Mobile is in hot water yet again and is being sued over a data breach that took place back in 2021.

Another lawsuit

Attorney General Bob Ferguson is filing a lawsuit, alleging that T-Mobile failed to “adequately secure sensitive personal information of more than 2 million Washingtonians.” The lawsuit also seeks compensation for consumers impacted by the 2021 breach. Ferguson is also hoping that the lawsuit would force T-Mobile to improve on its cybersecurity practices and bring it in line with industry standards.

This is not the first time that T-Mobile has found itself in legal trouble over the 2021 data breach. Customers brought a class-action lawsuit against T-Mobile back in 2022. This resulted in T-Mobile paying an eye-watering $350 million to settle the case against it.

The company also found itself in the crosshairs of the FCC which investigated it over its repeated cybersecurity issues. This resulted in a smaller $15.75 million fine back in 2024. As part of the deal, the carrier also paid another $15.75 million to improve its cybersecurity infrastructure.

Was this preventable?

So the question is, is T-Mobile really at fault here? Or are the hackers simply that good? According to the lawsuit filed by Ferguson, he believes that T-Mobile is at fault. The Attorney General claims T-Mobile “had years” to fix the key vulnerabilities that led to the data breach. “This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”

He also claims that the company failed to properly notify the two million Washington residents impacted by the breach. It also seems that T-Mobile had breached the Consumer Protections Act. This is because the carrier apparently omitted key information that made it difficult for customers to determine if they were at risk of potential identity theft or fraud.

The breach exposed a lot ton sensitive data. This included names, phone numbers, physical addresses, date of birth, Social Security numbers, driver’s license numbers, and so on. It also affected not just existing customers, but former and prospective customers.

T-Mobile has yet to comment on the fact that it is being sued again over this nearly four-year-old data breach.

Update:

T-Mobile has given us the following statement regarding this article:

“We have had multiple conversations about this incident from 2021 with the Washington AG’s office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit today came as a surprise. While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers.”