Communications Litigation Today was a Warren News publication.
Diverse Jurisdictions

6 Data Breach Class Actions vs. T-Mobile Filed Through Tuesday

New class actions due to T-Mobile’s disclosure that bad actors gained access to the account information of 37 million current postpaid and prepaid customers continue trickling into federal court dockets in various U.S. jurisdictions.

With the disclosure isn't quite a week old, at least six complaints against T-Mobile were docketed through the close of business Tuesday, including the first two that were filed Saturday and Sunday (see 2301230046), almost immediately after T-Mobile began alerting customers. No court through Tuesday hosted more than a single complaint, our examination of court records found. The districts involved were California Central, Florida Northern, Kansas, Missouri Western, New Jersey and Washington Western (see 2301240031 and 2301230046).

Most of the class actions fix Jan. 20 as the date their plaintiffs became aware that their personally identifiable information (PII) had been exposed to hackers. Plaintiff Stephan Clark of Michigan, in the most recent class action Tuesday in U.S. District Court for Western Washington in Seattle (docket 2:23-cv-00103), said he learned about the hack Jan. 20 from news coverage of T-Mobile’s Jan. 19 8-K disclosure. In the 8-K, T-Mobile said it had begun notifying customers “whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements.”

Clark “places significant value in the security of his PII,” said his complaint. He entrusted his sensitive PII to T-Mobile “with the understanding that T-Mobile would keep his information secure and employ reasonable and adequate security measures to ensure that it would not be compromised,” it said. Amid the highly sensitive nature of the information stolen, “and its subsequent dissemination to unauthorized parties,” Clark has already suffered injury and “remains at a substantial and imminent risk of future harm,” said his complaint.

T-Mobile has been unresponsive to numerous requests for comment about the data breach and the ensuing litigation. In its 8-K, T-Mobile said it’s “unable to predict the full impact of this incident on customer behavior in the future, including whether a change in our customers’ behavior could negatively impact our results of operations on an ongoing basis.”

Beyond the scale of the breach affecting 37 million active customer accounts, what appears to be irking T-Mobile plaintiffs in the class actions filed so far is the carrier’s response timeline. Clark said T-Mobile revealed it believes the bad actor first retrieved data through a faulty application programming interface around Nov. 25, but it failed to detect the unauthorized activity until Jan. 5. His complaint quotes security experts saying that’s indicative of security protocols that need urgent modernization.