The US state of Washington has sued T-Mobile over the mobile phone giant's alleged failure to secure the personal data of millions of state residents ahead of a data breach in August 2021, and the US state has since sued T-Mobile for allegedly failing to secure the personal data of millions of state residents ahead of an August 2021 data breach. influenced.
Washington State Attorney General Bob Ferguson said in a statement announcing the lawsuit that T-Mobile “knew about certain cybersecurity vulnerabilities for years and took sufficient steps to address them.” There wasn't.” Ferguson said the lawsuit seeks economic damages under the state's consumer protection law and an order for T-Mobile to improve its cybersecurity policies.
The hack of T-Mobile in August 2021 was the latest in a series of data breaches at the company in recent years, with at least five security incidents dating back to 2018, according to a tally by TechCrunch. The breach gave hackers access to T-Mobile's systems and exposed customers' names, dates of birth, social security numbers, and driver's license information. Some of the stolen T-Mobile customer data was subsequently published on known cybercrime forums.
Ferguson accused T-Mobile of improperly notifying affected customers after the breach, “omitting critical information and downplaying the severity,” which led to an assessment of the risk of identity theft and fraud. said Ferguson.
“This major data breach was completely avoidable,” Ferguson was quoted as saying in a press release. “T-Mobile took years to fix major vulnerabilities in its cybersecurity systems and failed.”
The lawsuit, filed in federal court in Seattle, included significant redactions that hid certain technical details about the August 2021 hack, but the complaint says the hackers were unable to access and download It appears to detail alleged technical security flaws and internal policies that may have facilitated the attack. Customer data from T-Mobile's servers.
The unredacted section states that hackers targeting T-Mobile discovered “easy-to-guess usernames and passwords.” T-Mobile “used weak credentials” for accounts accessing internal systems. And T-Mobile says it “allowed connections from the threat actor's IP address” from outside its network. The complaint also states that T-Mobile does not implement rate limiting on login attempts, allowing hackers to freely test many credentials without locking out the employee account in question.
The complaint also alleges that the company's “inadequate monitoring and alert settings” made it easier for hackers to gain undetected access to T-Mobile's network.
Ferguson's complaint adds that T-Mobile's public statements misrepresent the adequacy of its cybersecurity defenses and the threat to T-Mobile customer data found on the dark web, adding that the company's actions “There was the potential to deceive a significant number of Washington state consumers.” ”
A T-Mobile spokesperson did not immediately comment on the lawsuit when contacted Monday.