T-Mobile Sued Over 2021 Data Breach Impacting 79 Million Customers

• T-Mobile was sued by the State of Washington, accusing it of failing to address cybersecurity flaws.
• Moreover, the telco reportedly had weak and easy-to-guess account credentials for internal systems.
• The lawsuit implies false assurances about its cybersecurity protections and downplaying the threat to customers’ data published on the dark web.

The State of Washington filed a lawsuit against T-Mobile over a major data breach in August 2021, alleging the telecom giant failed to secure customer personal data. The company was accused of long-standing cybersecurity vulnerabilities that facilitated the attack. 

The breach exposed the sensitive information of more than 79 million individuals across the U.S. Washington Attorney General Bob Ferguson announced the lawsuit, saying, "T-Mobile knew for years about certain cybersecurity vulnerabilities and did not do enough to address them." 

The lawsuit seeks financial damages under Washington’s consumer protection laws and aims to compel T-Mobile to strengthen its cybersecurity practices. 

During the 2021 hack, the attacker gained unauthorized access to T-Mobile’s internal systems and exfiltrated highly sensitive customer data, including names, dates of birth, Social Security numbers, and driver’s license information. Some of the stolen data was later posted on a known cybercriminal forum.  

Attorney General Ferguson criticized T-Mobile’s response to the breach, alleging that the company’s notification to affected customers was insufficient and failed to convey the severity of the attack. 

Among the claims, the complaint noted the “easily guessable username and password” use by T-Mobile that allowed unauthorized system access and weak account credentials for internal systems that failed to meet robust security standards.  

Also noted were the absence of rate-limiting protocols, which permitted the attacker to repeatedly guess login credentials without triggering account locks, and faulty monitoring and alert mechanisms.  

The complaint also accuses T-Mobile of providing false assurances about its cybersecurity protections and downplaying the threat posed to customers’ information found on the dark web, leaving customers ill-equipped to assess their identity theft or fraud risk. 

T-Mobile has yet to issue a detailed public response to the lawsuit. However, in a statement provided by spokesperson Michelle Jacob, the company expressed surprise at the legal action.

The 2021 breach is part of a series of cybersecurity incidents T-Mobile has experienced, with at least five breaches recorded since 2018 and a 2024 one.