Massive New T-Mobile Data Breach Class Action Names 46 Plaintiffs

A new tagalong class action seeks to hold T-Mobile accountable for the massive data breach it disclosed in a Jan. 19 SEC filing (see 2301230046). But the complaint, filed Wednesday (docket 3:23-cv-00427) in U.S. District Court for Southern California in San Diego, is unique among the others for the voluminous number of plaintiffs it names -- 46. We believe it to be the 16th class action filed since T-Mobile disclosed that bad actors accessed the personally identifiable information (PII) of 37 million current prepaid and postpaid account holders (see 2303080003).

The new class action attorney is Ronald Marron, whose office is involved in at least one other class action stemming from the Jan. 19 disclosure. Dollson v. T-Mobile (docket 2:23-cv-00172) was filed Feb. 3 in U.S. District Court for Western Washington in Seattle. Typifying the status of the other class actions previously filed against T-Mobile, U.S. District Judge John Coughenour signed an order Feb. 28 granting the parties’ stipulated motion to stay all proceedings and deadlines until the Judicial Panel on Multidistrict Litigation rules on the pending petition to transfer the cases and consolidate them for pretrial proceedings under a single district judge.

The 46 plaintiffs in the new class action bring claims of negligence, breach of contract, breach of implied contract, unjust enrichment and invasion of privacy against T-Mobile under the unfair competition and consumer protection statutes of a dozen states. The complaint also asserts claims on behalf of subclasses in 15 states. “Given that little information” on the data breach, including the systems affected, has "been revealed to the public,” the plaintiffs anticipate “additional support for their claims will be uncovered following a reasonable opportunity for discovery,” said the complaint.

Lead plaintiff Elizabeth Shoemaker, a California resident, “places significant value in the security of her PII,” said the complaint. Due to T-Mobile’s “failure to adequately protect the sensitive information entrusted to it,” Shoemaker and members of the proposed class “suffered actual damages,” it said. It cited the time they’re now forced to spend monitoring their accounts for fraudulent activity.

Shoemaker “has been and will continue to be at a heightened and substantial risk of future identity theft and its attendant damages for years to come” as a result of T-Mobile’s negligence, said the complaint. “Such risk is certainly real and impending, and is not speculative," given the highly sensitive nature of the PII compromised, it said.

By collecting and maintaining sensitive personal information, T-Mobile “had a common law duty of care to use reasonable means to secure and safeguard the sensitive personal information and to prevent disclosure of the information to unauthorized individuals,” said the complaint of the negligence claim. “T-Mobile’s duty included a responsibility to implement processes by which it could detect a data breach of this type and magnitude in a timely manner.”

In the invasion of privacy claim, the plaintiffs assert they “reasonably expected that the PII they shared with T-Mobile would be protected and secured against access by unauthorized parties,” said the complaint. By failing to keep the PII secure, and disclosing the PII “to unauthorized parties for unauthorized use,” T-Mobile unlawfully invaded the plaintiffs’ “privacy right to seclusion,” it said.