Verizon, T-Mobile, Sprint, and AT&T Hit With Class Action Lawsuit Over Selling Customers’ Location Data

On Thursday, lawyers filed lawsuits against four of the country’s major telecommunications companies for their role in various location data scandals uncovered by Motherboard, Senator Ron Wyden, and The New York Times. Bloomberg Law was first to report the lawsuits.

The news provides the first instance of individual telco customers pushing to be awarded damages after Motherboard revealed in January that AT&T, T-Mobile, and Sprint had all sold access to the real-time location of their customers’ phones to a network of middlemen companies, before ending up in the hands of bounty hunters. Motherboard previously paid a source $300 to successfully geolocate a T-Mobile phone through this supply chain of data.

“Through its negligent and deliberate acts, including inexplicable failures to follow its own Privacy Policy, T-Mobile permitted access to Plaintiffs and Class Members’ CPI and CPNI,” the complaint against T-Mobile reads, referring to “confidential proprietary information” and “customer proprietary network information,” the latter of which includes location data.

The complaints against T-Mobile, AT&T, and Sprint are largely identical, and all also mention how each carrier ultimately provided data to a company called Securus, which allowed low level law enforcement to locate phones without a warrant, as The New York Times first reported in 2018. The complaint against Verizon focuses just on the Securus case. However, Motherboard previously reported how Verizon sold data that ended up in the hands of another company, called Captira, which then sold it to the bail bondsman industry.

The class in each lawsuit covers an approximation of the telcos’ individual customers between April 30, 2015 and February 15, 2019: 100 million for Verizon, 100 million for AT&T, 50 million for T-Mobile, and 50 million for Sprint. Each lawsuit is filed in the name of at least one customer for each telco, and they are seeking unspecified damages to be determined at trial, the complaints read.

The thrust of the complaints center around whether each telco violated section 222 of the Federal Communications Act (FCA), which says that the companies are obligated to protect the CPI and CPNI of its customers, and whether the Plaintiff’s and Class Members’ CPNI was accessible to unauthorized third parties during the relevant period.

The suits were filed by Z LAW, a “consumer protection law firm,” according to its website.

“We are reviewing the legal filing and have no further comment at this time,” a Sprint spokesperson told Motherboard in an email.

“We can’t comment on pending litigation,” a T-Mobile spokesperson wrote in an email.

Verizon and AT&T did not immediately respond to a request for comment.

When Motherboard reported in January that AT&T, T-Mobile, and Sprint had sold their customer data to companies that ultimately provided it to bounty hunters and other people unauthorized to handle it, each telco said they were stopping the sale of phone location data to third-parties altogether. AT&T and T-Mobile previously told Motherboard they have already done so, and Sprint said it plans to by the end of May. Verizon made its own commitment after the 2018 Securus scandal.

After Motherboard’s January investigation, 15 Senators called for the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) to properly investigate the sale of phone location data to bounty hunters. The House Committee on Energy and Commerce asked FCC Chairman Ajit Pai to hold an emergency briefing on the issue; Pai refused.

Motherboard also previously reported that 250 bounty hunters had access to AT&T, T-Mobile, and Sprint phone location data from another company that catered specifically to the bail bond industry. Some of that data included highly precise assisted GPS data, which is usually reserved for 911 responders.

Subscribe to our new cybersecurity podcast, CYBER.