If you are in a hurry -> Best Practices to Avoid Similar Claims

Introduction

(Washington State suing T-Mobile over data breach impacting 79M people) In January 2025 Washington State Attorney General Bob Ferguson filed a consumer-protection lawsuit against T‑Mobile, alleging that the carrier failed to fix known security flaws and misled customers about a massive 2021 breach (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

The complaint (filed in King County Superior Court) says T‑Mobile “had years” to address cybersecurity vulnerabilities but did not, even as it publicly touted data protection promises (Washington State suing T-Mobile over data breach impacting 79M people) (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State).

In August 2021 a hacker accessed T‑Mobile’s internal network, exposing personal information of 79 million people nationwide (including 2,025,634 Washingtonians) (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

Of those WA residents, roughly 183,000 had their Social Security numbers stolen (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

The breach ran from March 2021 until mid-August 2021, and – according to the lawsuit – went undetected for months due to “inadequate” monitoring (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

This incident, Washington claims, was entirely avoidable (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News) and resulted from T‑Mobile’s failure to meet basic security standards.

Key Allegations in the Lawsuit

The Washington suit targets both technical lapses and consumer-protection violations.

In summary, it accuses T‑Mobile of:

• Ignoring known vulnerabilities.  The complaint asserts T‑Mobile “knew about its cybersecurity weaknesses for years and failed to fix them” (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). According to the filing, the company’s security processes were insufficient (lacking threat identification, systemic oversight, and multi-factor controls), enabling the attacker to exploit easily-guessable or “obvious” credentials to penetrate critical databases (Washington AG Sues T-Mobile Over 2021 Data Breach) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

• Misleading consumers on security.  T‑Mobile had publicly promised that it “priority[s] protecting” customer data (Washington State suing T-Mobile over data breach impacting 79M people), yet the state alleges this was deceptive given the known risks. Washington emphasizes that T‑Mobile marketed itself as having customers’ backs, even as it allegedly failed basic defenses (Washington State suing T-Mobile over data breach impacting 79M people) (Washington AG Sues T-Mobile Over 2021 Data Breach).

• Inadequate breach notification.  After discovering the hack, T‑Mobile sent terse text notices to affected customers. The lawsuit quotes the notice as “brief, omitted critical and legally required information, and in some cases misled customers regarding the severity of the breach” (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). Crucially, consumers whose Social Security numbers were compromised were not informed of that fact (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News), while customers without SSN exposure were expressly told their numbers were safe. Washington argues that omitting key details (like SSN exposure) hampered consumers’ ability to assess identity theft risk.

• Violation of Washington’s Consumer Protection Act (CPA).  By allegedly downplaying the breach and omitting facts in its notifications, T‑Mobile is accused of “unfair or deceptive acts” under the CPA. The Verge reports that Washington’s filing explicitly states T‑Mobile’s notifications “violated the Consumer Protection Act by omitting key information”, making it difficult for people to understand their risk (T-Mobile is once again being sued over its 2021 data breach | The Verge) (Washington State suing T-Mobile over data breach impacting 79M people). In short, the state claims T‑Mobile’s conduct – from security oversights to notification wording – amounted to consumer fraud.

• General negligence and recklessness.  More broadly, the suit brands T‑Mobile’s behavior as negligent. It notes the carrier had been the target of previous breaches and even regulatory warnings, yet it still “did not meet industry standards” for years (Washington AG Sues T-Mobile Over 2021 Data Breach) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). Washington even highlights a 2020 Securities and Exchange Commission filing acknowledging continued targeting, implying T‑Mobile should have known better (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). The lawsuit therefore seeks civil penalties and restitution for harmed Washingtonians, as well as an injunction forcing T‑Mobile to bolster its cybersecurity policies, procedures, and consumer communications (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington AG Sues T-Mobile Over 2021 Data Breach).

Technical Failures Highlighted

The court filings and press releases enumerate several specific security breakdowns at T‑Mobile:

• Obvious passwords and weak credentials.  Ferguson’s team points out that some internal accounts were protected by easily-guessed passwords (Washington AG Sues T-Mobile Over 2021 Data Breach). The hacker reportedly exploited this by “guessing obvious credentials” to gain database access (Washington AG Sues T-Mobile Over 2021 Data Breach). This direct critique suggests failures in basic access management (e.g. no password policies or forced rotation).

• Lack of multi-factor authentication (MFA).  While not explicitly spelled out in the state press release, outside reporting notes that an FCC settlement (stemming from the same breaches) required T‑Mobile to implement MFA and a zero-trust model (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). The implication is that, pre-breach, many sensitive systems may have been protected by single-factor (password-only) login, a now-standard control that T‑Mobile “had previously lacked” (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

• Poor network monitoring and detection.  The breach persisted for five months with T‑Mobile oblivious to it. The lawsuit bluntly states that T‑Mobile’s security monitoring was so poor that the breach was only discovered when an external party alerted the company after seeing customer data for sale on the dark web (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). In other words, intrusion detection and anomaly alerts did not function, and internal logs either were not reviewed or did not exist.

• Insufficient segmentation and oversight.  The complaint claims a “systemic lack of oversight” and insufficient processes to identify threats (Washington AG Sues T-Mobile Over 2021 Data Breach). This suggests weaknesses in security governance and network design (for example, once the hacker was in, they had free reign).

These failures tie back to concrete losses: phone numbers, home addresses, dates of birth, driver’s license/ID numbers and SSNs were all stolen (T-Mobile is once again being sued over its 2021 data breach | The Verge) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

As one analyst paraphrased from Ferguson’s allegations, “T-Mobile did not meet industry standards for cybersecurity” (T-Mobile is once again being sued over its 2021 data breach | The Verge).

For CISOs, this highlights that even a major carrier can be tripped up by lapses in basic controls – like password hygiene, MFA, monitoring, and breach response planning – and that gaps will attract enforcement.

T-Mobile’s Response and Context

T‑Mobile has publicly expressed surprise at the lawsuit.

In statements to media, the company noted it had repeatedly briefed the AG’s office on the 2021 breach over the years (including just before the suit was filed), and that it disagrees with the legal claims (Washington State suing T-Mobile over data breach impacting 79M people) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

It points out that it already agreed to a comprehensive FCC settlement (a $31.5 million fine plus mandated security reforms) related to these incidents.

Indeed, that settlement requires T‑Mobile to adopt modern frameworks – zero-trust architecture and MFA – that the FCC said were missing (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

T‑Mobile also asserts it has “fundamentally transformed” its cybersecurity posture in the four years since 2021 (Washington State suing T-Mobile over data breach impacting 79M people).

Nevertheless, Washington’s suit seeks independent state penalties and oversight beyond the FCC case.

It underscores that regulatory compliance (with agencies like the FCC or SEC) does not insulate a company from separate state-law claims.

For CISOs, the takeaway is that regulatory settlements and fines don’t end the story: plaintiffs (state AGs or class actions) may still pursue claims on grounds like deceptive practices or negligence if the underlying failures harmed consumers.

Lessons and Best Practices for CISOs

This lawsuit serves as a cautionary tale. To avoid similar claims, cybersecurity leaders should heed the issues raised:

• Meet or exceed industry security standards.  Adopt established frameworks (NIST CSF, ISO 27001, CIS Controls, etc.) and rigorously test controls. The complaint notes T‑Mobile “did not meet industry standards” (Washington AG Sues T-Mobile Over 2021 Data Breach) – a red flag for any court. Regular risk assessments, vulnerability scans, and third-party audits can help catch glaring gaps (like weak passwords or missing MFA) before attackers do.

• Enforce strong authentication everywhere.  Require multi-factor authentication for all accounts, especially those with access to PII. As the FCC-mandated settlement shows, zero-trust and MFA are now expected baseline defenses (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). Limiting login to single-factor passwords (especially if they are weak or shared) invites both breaches and liability.

• Implement comprehensive monitoring and incident response.  Ensure robust intrusion detection systems, 24/7 security operations, and real-time alerting. The fact that this breach went unnoticed for months until an outsider intervened (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News) highlights the danger of blind spots. Regularly test detection and response capabilities (e.g. red-teaming, purple-team exercises) to make sure threats are caught and mitigated quickly.

• Maintain the principle of least privilege and segmentation.  Limit access to sensitive data strictly on a need-to-know basis. Segregate networks so that a breach in one area cannot freely escalate to databases of customer data. The lawsuit’s reference to a “systemic lack of oversight” (Washington AG Sues T-Mobile Over 2021 Data Breach) suggests poor access controls; CISOs should enforce tight IAM policies and network segmentation to prevent exactly this scenario.

• Be transparent and thorough in breach notifications.  Comply fully with all legal notification requirements (which vary by state) and do not withhold material facts. In particular, ensure that any PII exposures (like SSNs) are explicitly mentioned to affected individuals. Washington’s suit zeroes in on T‑Mobile’s text notices that omitted mention of stolen SSNs and otherwise downplayed the scope (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News). Lesson: do not sugar-coat breach alerts. Provide clear, complete information so consumers and regulators can assess risk.

• Avoid misleading security marketing.  Ensure that public claims about data safety or privacy are accurate and aligned with internal reality. The lawsuit calls out T‑Mobile’s “We’ve got your back…your data is secure” messaging as deceptive given the company’s admitted security failures (Washington State suing T-Mobile over data breach impacting 79M people) (Washington AG Sues T-Mobile Over 2021 Data Breach). CISOs should vet any public-facing statements on security; over-promising and under-delivering can become evidence of bad faith in court.

• Document governance and continuous improvement.  Keep detailed records of security decisions, audits, and remediation efforts. If vulnerabilities are found, evidence that they were promptly addressed will be crucial. The AG noted that T‑Mobile “had years” to fix issues (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) – if true, that gap looks bad. Regularly review board or executive security oversight, and document that management takes cybersecurity seriously to demonstrate due diligence.

• Stay ahead of legal and regulatory shifts.  Laws like consumer-protection acts can impose liability for cybersecurity missteps. Ensure legal and compliance teams are involved in security planning. For example, after T‑Mobile’s 2021 breach, several state attorneys general (including Washington) became vigilant. CISOs should track new state breach notification laws and consumer-protection rulings, and adapt policies proactively.

• Engage in open dialogue with regulators.  The story shows frustration on both sides. Proactively cooperating with state and federal regulators (rather than reacting only after a breach) can help shape fair expectations. T‑Mobile has already negotiated with the FCC; similarly, CISOs can seek guidance or safe harbors by working with AG offices or security agencies to show good faith.

By internalizing these lessons, security leaders can both strengthen their organization’s defenses and reduce legal exposure.

The Washington v. T‑Mobile case makes clear that a breach’s fallout isn’t just reputational or financial – it can spawn serious legal claims.

CISOs should view it as a wake-up call: robust security and honest communication are not just best practices, they’re rapidly becoming legal imperatives.

Key Takeaways for Executives

• Washington’s lawsuit alleges T‑Mobile violated state law by both failing to fix known security holes and misleading customers about the breach (Washington State suing T-Mobile over data breach impacting 79M people) (T-Mobile is once again being sued over its 2021 data breach | The Verge).

• Technical failings cited include poor password hygiene, no MFA, and inadequate monitoring – all classic attack vectors (Washington AG Sues T-Mobile Over 2021 Data Breach) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

• Breach notifications must be complete and factual. Omitting the theft of SSNs or other sensitive data can itself be deemed an unfair business practice (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News).

• CISOs should treat this case as evidence that regulators now equate cybersecurity lapses with consumer deception. Doing the bare minimum for compliance is risky; leadership must prioritize security investments, controls, and truthful communications to avoid similar lawsuits.

  
  

References: Official filings and news reports on the case (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (T-Mobile is once again being sued over its 2021 data breach | The Verge) (Washington State suing T-Mobile over data breach impacting 79M people) (Washington AG Sues T-Mobile Over 2021 Data Breach) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News) (Washington state sues T-Mobile over allegedly shoddy cyber practices leading to 2021 breach | The Record from Recorded Future News) (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (AG Ferguson files lawsuit against T-Mobile for massive data breach | Washington State) (Washington State files consumer protections lawsuit against T-Mobile | News | nbcrightnow.com).