Communications Litigation Today was a Warren News publication.
API Security 'Needs Work'

T-Mobile Tried to 'Downplay' Value of Stolen Data: 8th Breach Complaint

T-Mobile “tried to downplay the value of what was stolen,” alleged the eighth federal privacy class action (4:23-cv-00438) arising from the carrier’s November data breach that it disclosed in a Jan. 19 8-K report (see 2301230046). T-Mobile believes the bad actor first retrieved data through a compromised application programming interface (API) around Nov. 25, but the company failed to detect the unauthorized activity until Jan. 5, the complaint noted.

The carrier, which failed to comply with regulatory guidance and industry-standard cybersecurity practices, strives to boost its bottom line by selling its customers’ personal identifying information (PII), said the complaint Wednesday in U.S. District Court for South Carolina in Florence. Though T-Mobile said it notified federal agencies about the incident and began notifying customers whose information may have been obtained by the bad actor -- in accordance with applicable state and federal requirements -- the notices are “woefully deficient,” the complaint said.

Instead of warning data breach victims they're at significant risk of identity theft and fraud, a T-Mobile notice said the company “prevented the most sensitive types of customer information from being accessed” and customer accounts and finances “are not put directly at risk by this event,” the complaint said.

The company’s efforts to notify plaintiff and class members of the breach “fell short of providing key information,” consisting instead of “brief messages with little substantive information” about how customers could protect themselves from identity theft and fraud, said South Carolina plaintiff Lisa Frierson, who learned of the data breach from a news source. Frierson noticed “suspicious activity including spam calls, texts, emails and Facebook activity” since the breach and has spent time and effort to review her Cash App, Facebook and Instagram accounts for fraudulent activity, the complaint said.

That T-Mobile failed to detect the data breach for about six weeks indicates “T-Mobile’s API security clearly needs work,” said the complaint, citing a Jan. 20 Wired article quoting Chester Wisniewski, field chief technical officer at security firm Sophos. Wisniewski said it was “concerning that the criminals were in T-Mobile’s system for more than a month before being discovered,” and suggests the company’s defenses “do not utilize modern security monitoring and threat hunting teams” expected from a “large enterprise like a mobile network operator.”

Scammers are likely to target T-Mobile users with phishing messages due to the data breach, said the complaint, citing data security expert Brian Krebs who said scammers might send messages that include the recipient’s compromised account details to make communications “look more legitimate.”

Class members realized harm in the lost or reduced market value of their PII that was stolen, said the complaint. The market value for access to PII can be determined by reference to legitimate and illegitimate markets for data, it said.

Class claims include negligence, breach of confidence, intrusion upon seclusion, breach of express and implied contract, unjust enrichment and declaratory judgment. Plaintiff wants to prevent T-Mobile from continuing to engage in unlawful acts and to require it to protect all data collected in accordance with industry standards, regulations and laws. It also wants T-Mobile to be required to destroy the PII of class members; implement an information security program; engage third-party auditors; conduct periodic audits of its systems; and implement logging and monitoring programs to track traffic from its servers, the complaint said.

Plaintiff seeks compensatory, consequential, general and nominal damages to be determined at trial, an order of disgorgement and restitution of all earnings, compensation and benefits T-Mobile received as a result of its unlawful acts and practices, plus legal costs and attorneys’ fees.