T-Mobile named in lawsuits over data breach

The data breach that T-Mobile reported last week is already the subject of two proposed federal class actions alleging it was negligent in connection with the incident.

Last week, the “un-carrier” reported a data breach that involved about 37 million prepaid and postpaid customers. In a Securities and Exchange Commission (SEC) filing Thursday, T-Mobile admitted that a “bad actor” obtained data through a single Application Programming Interface (API).  

In two separate lawsuits over the weekend – one in Florida and one in California – plaintiffs allege the breach occurred due to T-Mobile’s negligence and careless acts and omissions, including failure to encrypt customers’ information, according to a Bloomberg Law report.

A T-Mobile spokesman said the company had no comment beyond what it posted online and with the SEC last week.  

According to Bloomberg, Christine Cortazal alleged that T-Mobile failed to exercise reasonable care to protect her sensitive information. That complaint was filed Saturday in the U.S. District Court for the Northern District of Florida.

Separately, Jennifer Baughman made nearly identical allegations in a complaint filed Sunday in the U.S. District Court for the Central District of California.

Damages cited by members of the proposed classes include invasion of privacy, financial costs of responding to the breach and mitigating its impact and lost time responding to the breach, according to the Bloomberg report.

Some analysts last week said the frequency of data hacks at T-Mobile is alarming, the latest one being just days before a January 23 filing deadline related to a class action in a massive 2021 data breach. In 2022, T-Mobile agreed to a $350 million settlement to resolve claims in that attack.

In the most recent breach, the compromised API did not provide access to any customer payment card information, social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed, according to T-Mobile.

However, the hack did expose customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.