T-Mobile has been hit with a class-action complaint over its widely publicized recent data breach, which involved hackers obtaining Social Security numbers and other personally identifying information for around 50 million people.
“As the target of many data breaches in the past, T-Mobile knew its systems were vulnerable to attack. Yet it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft,” California resident Veera Daruwalla, Louisiana resident Michael March and Illinois resident Lavicieia Sturdivant allege in a complaint filed Thursday in U.S. District Court in Seattle. “Its customers expected and deserved better from the second largest wireless provider in the country.”
Among other claims, they allege that T-Mobile violated the California Consumer Privacy Act, which allows consumers to sue companies that fail to take reasonable security measures to protect people's personal information.
Their lawsuit comes several days after Motherboard reported that hackers were attempting to sell data obtained in the attack.
The publication said one seller sought around $270,000 for 30 million Social Security numbers and driver's licenses supposedly obtained from T-Mobile.
After the report came out, T-Mobile confirmed that hackers had obtained full names, birthdates, Social Security Numbers and driver's license information for more than 40 million former or prospective customers, as well as 7.8 million current customers.
The telecom collects that data when running credit checks of people who apply for post-paid accounts.
On Friday, the company added that the 7.8 million current customers affected by the data breach also had their phone numbers compromised, as well as identifiers associated with their devices.
T-Mobile also reported Friday that that that hackers accessed the names, addresses, birthdates, phone numbers and identifiers associated with their devices -- but not Social Security numbers or driver's license information -- of an additional 5.3 million current postpaid subscribers.
The company said Friday that it will offer two years of free McAfee ID theft protection to all people who believe they may have been affected by the breach.
The customers who are suing T-Mobile allege that they face an ongoing risk of injury.
“Malicious actors often wait months or years to use the personal information obtained in data breaches, as victims often become complacent and less diligent in monitoring their accounts after a significant period has passed,” the lawsuit alleges. “Plaintiffs and class members will therefore need to continuously monitor their accounts for years.”