T-Mobile is facing a class action lawsuit for its most recent data breach, in which hackers stole data on at least 47 million current, former, and prospective customers, including Social Security Numbers, according to a copy of the class action complaint filed in a Washington court.
The move comes after Motherboard broke news of the breach on Sunday. At the time, a hacker was advertising 30 million SSNs from an unnamed source. Motherboard verified the data was sourced from T-Mobile; T-Mobile itself later confirmed the contours of the breach.
The plaintiffs and class members of the lawsuit say their identities "are now at considerable risk because of Defendant's [T-Mobile's] negligent conduct since the Private Information that T-Mobile collected and maintained is now in the hands of data thieves." The lawsuit adds that the victims may now face losing time and money dealing with the fallout of the data breach, including buying protective measures or because of attempted fraud and identity theft.
Do you work at T-Mobile? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
T-Mobile has offered customers free credit monitoring, but the lawsuit describes this move as "inadequate."
"Defendant places the burden squarely on Plaintiffs and Class Members by requiring them to expend time signing up for that service, as opposed to automatically enrolling all victims of this cybercrime. In addition, Defendant only offers these services for two years, even though experts agree that the effects of such a data breach can often be felt by victims for around seven years," the lawsuit continues.
The class action was filed by Morgan & Morgan, Terrell Marshall Law Group, Arnold Law Firm, Mason Lietz & Klinger, and The Consumer Protection Firm.
"Consumers entrust their valuable, personal information to companies with the reasonable expectation that it be kept confidential and secure. T-Mobile, a leading telecommunications company, allegedly failed to fully implement a data security system to protect their customers from cyberattacks. Their alleged reckless actions and inactions have exposed customers to years of constant surveillance of their financial and personal records, monitoring, and loss of rights. We will continue to hold companies accountable and fight to ensure all institutions do more to protect people’s data," Morgan & Morgan attorneys John Morgan and John Yanchunis said in an emailed statement.
Beyond granting the plaintiffs an unspecified amount of damages, the class action asks the court to prohibit T-Mobile from keeping "personal identifying information on a cloud-based database."
Subscribe to our cybersecurity podcast CYBER, here.