T-Mobile Faces Class Action Lawsuit After Data Breach Leaked Millions of SSNs

A cyberattack launched against T-Mobile exposed the personal data, including social security numbers, of at least 47 million current, former, and prospective customers. Those affected have filed a class action lawsuit demanding T-Mobil stop its storage of "personal identifying information on a cloud-based database."

The attack was first reported Sunday and confirmed Monday by T-Mobil after a hacker was found advertising roughly 30 million social security numbers online, according to reporting by Vice. In the online forum, the seller was asking for six Bitcoin, around $270,000, for a collection of data that included social security numbers as well as drivers' licenses, phone numbers, and names.

The lawsuit alleges the breach has resulted in the filers facing potential identity theft, out‐of‐pocket expenses, loss of time used to mitigate the effects of the breach, and criminal misuse of their personal information. In the suit, the filers allege T-Mobile was aware of the potential risk of breach.

"[T-Mobile] maintained the private information in a reckless manner," the suit reads. "In particular, the private information was maintained on [T-Mobile]'s computer system and network in a condition vulnerable to cyberattacks. The mechanism of the cyberattack and potential for improper disclosure of [filers'] private information was a known risk to [T-Mobile], and thus [T-Mobile] was on notice that failing to take steps necessary to secure the private information from the risk of a ransomware attack."

T-Mobile Data Breach Affects 40 Million People
T-Mobile announced Wednesday that a data breach exposed the personal information of 7.8 million current customers and 40 million people who had applied for credit. People walk past the front of a T-Mobile retail store on Wednesday in Arlington, Virginia. Photo by Chip Somodevilla/Getty Images

In the suit, the filers allege that T-Mobile failed to take basic measures to follow its promise to "maintain customer privacy." The suit alleges T-Mobile did not encrypt any of the stolen information, including usernames and passwords.

As of the filing date of the suit, T-Mobile has not indicated how long hackers may have held the information nor have they stated the date that the incident occurred. The suit alleges that had T-Mobil "taken its data security obligations more seriously," the company would have discovered and stopped the breach sooner.

T-Mobile has offered those affected 24 months of complimentary credit monitoring, but the filers describe this as "inadequate," stating it places the burden on the filers to spend their time signing up for the service.

Newsweek contacted T-Mobile but did not receive a response in time for publication. However, on its website, the company urged customers to take the following steps to protect themselves:

"Protect your identity with McAfee: Sign up for McAfee ID Theft Protection Service free for two years provided by T-Mobile," it said. "Activate Scam Shield: Tap into our network's advanced scam-blocking protection and use anti-scam features such as Scam ID, Scam Block, and Caller ID—Free to all T-Mobile customers," and "Further protect your T-Mobile account: Use our free Account Takeover Protection service to help protect against an unauthorized user fraudulently porting out and stealing your phone number [postpaid only]."