The number of T-Mobile
customers who were victimized by a recent data breach is believed to be 53 million
according to the carrier, including 7.8 million postpaid subscribers. Bloomberg reported on Friday that a pair of class-action lawsuits have been filed against the wireless provider. The suits accuse the nation's second-largest carrier of violating the California Consumer Privacy Act (CCPA).
T-Mobile is the subject of two class-action suits following its latest data breach
The suits were filed in Washington state as the company's U.S. headquarters are located in Bellevue, Washington. The hackers obtained customers' names and phone numbers but on Friday T-Mobile said that social security numbers and IDs were not part of the breach.
A pair of class action suits have been filed against T-Mobile after last week's data breach
One lawsuit, filed by Veera Daruwalla
(Daruwalla v. T-Mobile USA Inc) noted that T-Mobile blamed the data breach on hackers using the Twitter handle @und0xxed who had broken into T-Mobile's servers and gained access to the personal data belonging to the wireless provider's customers. While T-Mobile claims that the data stolen by the hackers was limited, the hackers themselves beg to differ.
As the plaintiff's filing states, "According to the hackers, the stolen personal identifying information (PII) includes customers’ names, addresses, social security numbers, drivers license information, phone numbers, dates of birth, security PINs, phone numbers, and, for some customers, unique IMSI and IMEI numbers (embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number)—all going back as far as the mid 1990s. The hackers also claim to have a database that includes credit card numbers with six digits of the cards obfuscated."
Besides looking to profit by selling personal data belonging to T-Mobile customers, obtaining the unique IMEI belonging to T-Mobile subscribers' phones could allow the hackers to perform what is known as a SIM-swap attack allowing bad actors to receive one-time passwords or get access to two-factor authentication codes. This could allow a cybercriminal to hijack a T-Mobile customer's phone allowing him/her access to the victim's financial accounts.
The suit claims that the hackers claim that over 100 million T-Mobile customers had their personal information swiped in the data breach. T-Mobile's preliminary investigation concluded that 7.8 million postpaid subscribers were involved along with 850,000 active prepaid customers and 40 million "former or prospective customers who had
previously applied for credit with T-Mobile."
One suit claims that T-Mobile was "reckless" with its subscribers' personal data
The CCPA allows statutory damages in a private right of action between $100 and $750 per customer per violation, or actual damages, whichever is greater. The plaintiffs also seek injunctive relief to protect T-Mobile customers from future data breaches. The filing also delves into past issues that the carrier has had with data breaches.
The second suit, filed by Stephanie Espanoza, Jonathan Morales, and Alex Pygin
, says that T-Mobile handled all of the data belonging to its customers (including names, phone
numbers, drivers’ licenses, government identification numbers, Social Security numbers, dates of birth, and T‐Mobile account PIN numbers) "in a reckless manner." The plaintiffs also say that the computer system employed by T-Mobile to store this important personal data was "in a condition vulnerable to cyberattacks."
The court filing adds that T-Mobile was aware of the risks of not taking proper steps to secure its subscriber's personal data. The potential crimes that the hackers can commit with the stolen information include "fraudulently applying for unemployment benefits, opening new financial accounts in Class Members' names, taking out loans in Class Members' names, using Class Members' information to obtain government benefits (including unemployment or COVID relief benefits), filing fraudulent tax returns using Class Members' information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph and providing false information to police during an arrest."
The plaintiffs in this suit seek damages, punitive damages, court costs, and attorneys' fees, prejudgement interest, and any other relief that the court feels is warranted.