T-Mobile, the second largest telecom group in the U.S., is on the line again in a new class action lawsuit demanding the wireless provider giant be made to pay for a data breach that allegedly exposed the personal information of millions of customers to hackers.
Named plaintiffs David Lopez and Jerome Cascio, on behalf of themselves and others, have filed a new class action lawsuit against T-Mobile U.S. Inc. and its subsidiary, T-Mobile USA Inc. on Jan. 24. The complaint in Cook County Circuit Court followed fast after an announcement of a new data breach on January 19. The breach involves approximately 37 million customers. The claim is focused on allegedly violations of the Illinois Consumer Fraud Act.
According to the complaint, T-Mobile allegedly did not have adequate cybersecurity procedures and practices in place to protect customers' private information. Further, the complaint asserts T-Mobile was allegedly fully aware of its obligations to protect the privacy of its customers and allegedly knew the repercussions of failing to do so.
The complaint asserts T-Mobile was also aware that they allegedly continue to be a favorite target for hackers. The complaint notes multiple security events have exposed customers to the ongoing threat including breaches in 2018, one in 2021 that impacted close to 50 million people, and a series of breaches perpetrated by the Lapsu$ cybercrime group in March 2022.
In a statement, T-Mobile acknowledged the breach, but asserted any harm was minimal. The company said:
"... We have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.
"As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.
"While no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, we want to be transparent with our customers and ensure they are aware.
"No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised. Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained, including name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features."
The complaint notes, however, that the new breach came just months after T-Mobile agreed in July 2022 to pay $350 million to settle claims over a lawsuit filed in 2021 over an earlier breach.
The new complaint asserts T-Mobile continues to operate without adequate security and privacy precautions in place.
Had the plaintiffs and class members known that T-Mobile would fail to maintain adequate data security protocols to protect against a breach, the plaintiffs claim they would not have subscribed to their services.
The plaintiffs claim T-Mobile allegedly failed to properly notify their customers in a timely manner as to the full extent of the data breach, and did not do enough to prevent the possible theft of their personal data.
As a result, the plaintiffs contend, they will continue to suffer economic and personal damage.
Among other damages, plaintiffs are requesting compensation for the theft of their identity, costs for ongoing monitoring services, unauthorized charges on their debit and credit card accounts, damages from potential fraud and identity theft, and out-of-pocket loss/expenses including time spent to resolve the effects of the data breach.
They are also seeking unspecified punitive damages and attorney fees and legal costs.
Plaintiffs are represented by attorneys Bryan Paul Thompson and Robert W. Harrer of the Chicago Consumer Law Center, of Chicago