T-Mobile has been struck with two class-action lawsuits in federal court in Washington, as the number of current and former customers affected by the telecommunications giant’s cyberattack rises.
Espanoza v. T-Mobile USA, for example, charges T-Mobile of putting plaintiffs and class-action members at “considerable risk” as a result of the company’s inability to effectively protect its customers owing to irresponsible conduct.
“Armed with the Private Information accessed in the Data Breach, data thieves can commit a variety of crimes, including but not limited to fraudulently applying for unemployment benefits, opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ information to obtain government benefits (including unemployment or COVID relief benefits), filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph and providing false information to police during an arrest,” the complaint states.
Durwalla v. T-Mobile USA, on the other hand, claims that victims have already spent up to 1,000 hours dealing with privacy concerns arising from the attack, including scrutinising financial and credit accounts for proof of unlawful activity.
“T-Mobile knew its systems were vulnerable to attack. Yet it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft,” the filing adds. “Its customers expected and deserved better from the second largest wireless provider in the country.“
The lawsuits seek a variety of remedies for violations of the Washington Consumer Protection Act and the California Consumer Privacy Act, including compensatory damages and payment of out-of-pocket expenditures incurred in repairing any fraud-related damage.
Injunctive remedy is being sought, including improvements to T-data Mobile’s security protocols, future annual audits, proper credit monitoring services provided by the corporation, and an order prohibiting T-Mobile from maintaining personal data on a cloud-based database.
T-Mobile previously stated that the breach affected 7.8 million current postpaid customer accounts and 40 million former or prospective T-Mobile customers, taking personal information such as first and last names, dates of birth, Social Security numbers, and driver’s license/ID information.
Another 5.3 million current postpaid customer accounts and 667,000 former T-Mobile customer accounts have been identified as targets, with customer names, addresses, dates of birth, phone numbers, IMEIs and IMSIs, the typical identifier numbers associated with a mobile phone, illegally accessed, according to a T-Mobile update released Friday.
T-Mobile continues to work “around the clock” on its investigation into the cyberattack.
“Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack,” the company noted.
To assist its clients, the company is providing two years of free identity theft protection through McAfee’s ID Theft Protection Service to anyone who suspects they may have been affected, as well as advising that all eligible customers sign up for Scam Shield’s free scam-blocking protection. Additionally, the PINs for approximately 850,000 active T-Mobile prepaid customer accounts that were exposed were reset.
T-Mobile stressed that no bank information, credit card information, debit card information, or other payment information had been accessed.