Communications Litigation Today was a Warren News publication.
8 Hacks Since 2018

T-Mobile Facing 2 More Class Actions After Data Breach Disclosure

Two more class actions were filed against T-Mobile Monday, after two weekend filings just days after the carrier disclosed its latest data breach in an 8-K report Thursday at the SEC (see 2301230046).

In a Monday complaint in U.S. District Court for New Jersey in Newark, New Jersey plaintiff Frankie Gonzalez cited T-Mobile’s “eight hacks since 2018” and alleged the carrier’s “failure to implement industry-standard security protocols and its repeated failure to detect and secure customer information” caused harm to the class.

The stunning speed with which the first T-Mobile class actions were docketed after its most recent data breach disclosure isn't without recent precedent. The first-filed class action against the summertime Samsung data breach was filed in a Nevada state court Sept. 2, the same day that Samsung disclosed the breach on its corporate website. It's partially on that case's first-filed status that Samsung is arguing to have all the cases transferred and consolidated in U.S. District Court in Las Vegas, where Samsung removed it on Oct. 10 (see 2301040035).

A fourth class action against T-Mobile, filed in the U.S. District Court for Western Missouri in Kansas City Monday, cites T-Mobile for alleged negligence, unjust enrichment, breach of express and implied contract and invasion of privacy, after the company disclosed it discovered Jan. 5 that an unidentified hacker obtained data from about 37 million of its customers around Nov. 25 through an application programming interface.

Plaintiffs’ personally identifiable information (PII) is of high value to criminals, said the complaint (docket 4:23-cv-00052), citing Dark Web pricing for stolen identity credentials. PII can be sold at a price from $40 to $200; bank details have a price range of $50-$200; and credit card details with an account balance "of up to $5,000" have an average market value of $240, the complaint said, referencing the Dark Web Price Index for 2021.

New Jersey plaintiff Gonzalez, who has two cellphone lines and two smartwatches linked to his T-Mobile account, “would not have done business with T-Mobile” if he had known of the carrier’s “lax security practices,” said the complaint (docket 2:23-cv-367). “Data breaches have been a nearly annual event for the company for many years,” it said, listing publicized breaches beginning in 2017. With its numerous data breaches, T-Mobile was “clearly aware of its data security failures, and the fact that subsequent breaches have occurred reinforces that Plaintiff’s PII, which remains in T-Mobile’s possession, is not safe,” the complaint said.

In addition to monetary damages and legal fees, plaintiffs seek injunctive relief, including orders requiring T-Mobile to encrypt all data collected and delete and destroy the PII of members; implement an information security program; engage third-party auditors to conduct testing and simulated attacks; implement a threat management program; and appoint a third-party assessor to conduct a SOC 2 Type 2 attestation annually for 10 years.