T-Mobile Notifications 'Woefully Inadequate': 9th Data Breach Suit
T-Mobile’s process for notifying customers about its November data breach was “far from straightforward and woefully inadequate,” alleged the ninth known federal class action (docket 2:23-cv-00766) resulting from the breach, filed Wednesday in U.S. District Court for Central California in Los Angeles.
T-Mobile disclosed the breach, which occurred around Nov. 25, in a Jan. 19 8-K filing at the SEC, and followed it with a news release that was “even less forthcoming” about the risks of identity theft and fraud that its customers would face, alleged the complaint. Customers were required to log in to their T-Mobile accounts online or through their mobile app to see whether they were affected by the breach, said plaintiff Oscar Munoz, of Los Angeles.
Customers who had their accounts set to auto payments may not have had a need to log in to their accounts “and would otherwise not see this notice online,” the complaint said. T-Mobile said the breach notice would be included in monthly statements to customers, but it wasn’t clear if paperless customers would receive a mailed notice that they had been subject to the breach, the plaintiff said. “More confusing,” some T-Mobile customers, including those who use Metro or Assurance, receive notices by text and email, “but no apparent similar notices are provided to the primary T-Mobile customers.” It’s not clear why T-Mobile can't do so "since it must also have these customers’ phone and email contact information,” it said.
T-Mobile failed to notify customers about the scope of the breach, which was also reported to have affected Google Fi customers, alleged the complaint. It cited a TechCrunch report Tuesday linking T-Mobile to a Jan. 30 email from Google informing customers that its primary network provider reported “suspicious activity” involving a “third-party support system containing a ‘limited amount’ of Google Fi customer data.” The timing of the notice -- and "that Google Fi uses a combination of T-Mobile and U.S. Cellular for network connectivity -- suggests the breach is linked to T-Mobile,” said the article.
The Google email said hackers had access to “limited” customer information, including phone numbers, account status, SIM card serial numbers, and information on details about customers’ mobile service plan, such as whether they have unlimited SMS or international roaming, said the complaint. Such data could allow bad actors to engage in SIM swapping, where a victim’s phone number could be used to send and receive phone calls and texts to “gain access to (and reset passwords) a victim’s other online accounts.” Google didn’t comment Friday.
The complaint claims violation of California’s Unfair Competition Law, negligence, breach of implied contract and unjust enrichment. Plaintiff seeks actual and punitive damages, plus pre- and post-judgment interest “at the highest legal rates applicable,” and injunctive relief, plus attorneys’ fees and legal costs.
A 10th class action, brought by Edward Polhill of Michigan and Steven Vash of Georgia was filed Wednesday in U.S. District Court for Northern Georgia in Atlanta, for T-Mobile’s “failure to properly secure and safeguard" the sensitive and personal identifiable contact and demographic information of plaintiffs and class members. The carrier failed to warn plaintiffs of its “inadequate information security practices” or secure its hardware containing protected personal data, alleged the complaint (docket 1:23-cv-00489).