Nature of Action
This Class Action lawsuit arises from T-Mobiles’ August 16th announcement confirming that its servers were hacked and personal identifying information (“PII”) of “over 53 million” of its customers was stolen.
According to the hackers, the stolen PII includes customers names, addresses, social security numbers, drivers license information, phone numbers, dates of birth, security PINs, and for some customers, unique IMSI and IMEI numbers (embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number) – all going back as far as the mid 1990s. The hackers also claim to have a database that includes credit card numbers with six digits of the cards obfuscated.
Because each IMEI number is tied to a specific customers’ phone, knowing it could help in so-called “SIM-swap attacks” which could lead to account takeover concerns since threat actors could gain access to two-factor authentication or one-time passwords tied to other accounts – such as email, banking, or any other account employing advance authentication security feature – using a victims’ phone number.
The depth of the breach is such that it offers potential buyers a blend of information that could be used to great effect. Having this PII centralized streamlines the identity theft process for criminals. For example while phone numbers and names are relatively easy to find, a database that ties those two together, along with identifying someone’s carrier and fixed address, makes it much easier to facilitate phishing attacks.
According to the hackers, the Data Breach affects more than 100 million individuals, meaning that all or nearly all T-Mobile customers may have been impacted. The hackers have reportedly already sold a first batch of data containing hundreds of thousands of records and are shopping the bulk of the stolen PII directly to buyers.
T-Mobile has been a target of many data breaches in the past so it knew its systems were vulnerable to attack. Despite past breaches, it failed to implement and maintain reasonable security procedures and practices appropriate to the nature of information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft.
The customer PII disclosed in the Data Breach is protected by the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 (“CCPA”), which gives rise to a cause of action when insufficient security results in a breach. Specifically, the CCPA gives rise to a claim where, as here, an individual’s name in combination with a social security number or driver’s license number are exfiltrated without authorization (among other things).
In a private right of action, the CCPA also provides for statutory damages of between $100 and $750 per customer per violation or actual damages, whichever is greater. The appropriate amount of statutory damages is determined through examination of a number of factors, including the size of Defendant’s assets and whether the Defendant has a record of weak data security.
Finally, the CCPA provides that “any provisions of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.”.
The Defendant in this case is T-Mobile USA, Inc., a Delaware corporation.
More information about the Data Breach can be found here.
Status of Lawsuits