The impact of data breaches takes a long time to resolve, as evidenced by the fact that Washington sues T-Mobile over a 2021 data breach.

As discussed by Zack Whittaker on TechCrunch (Washington sues T-Mobile over 2021 data breach that spilled 79 million customer records, available here), the state of Washington has sued T-Mobile over allegations the phone giant failed to secure the personal data of millions of state residents prior to an August 2021 data breach, which went on to affect more than 79 million customers across the United States.

In a statement announcing the lawsuit, Washington attorney general Bob Ferguson said T-Mobile “knew for years about certain cybersecurity vulnerabilities and did not do enough to address them.” Ferguson said the suit seeks financial damages under the state’s consumer protection laws and to order T-Mobile to improve its cybersecurity policies. 

The hack against T-Mobile in August 2021 was the latest in a series of data breaches at the company over recent years, with at least five security incidents dating back to 2018 by TechCrunch’s count. The breach allowed a hacker access to T-Mobile’s systems and exfiltrated customer names, dates of birth, and Social Security numbers, as well as driver’s license information. Some of the stolen T-Mobile customer data was subsequently published on a known cybercriminal forum.

Ferguson accused T-Mobile of providing inadequate notice to affected customers following the breach that “omitted critical information and downplayed the severity,” which Ferguson said affected the ability of consumers to assess their risk of identity theft or fraud.

The lawsuit, filed in a Seattle federal court, contained significant redactions masking specific technical details of the August 2021 hack, but the unredacted portions note that the hacker targeting T-Mobile discovered an “easily guessable username and password”; that T-Mobile “used weak credentials” on accounts for accessing its internal systems; and that T-Mobile “allowed the connection from the threat actor’s IP address” from outside its network. The complaint also says T-Mobile did not implement rate-limiting on any login attempts, allowing the hacker to freely test as many credentials without locking the employee accounts in question.

Oy.

There may be a lot of things that happen as a result of this lawsuit, including increased attention on how companies react to a data breach in terms of a) notifying customers about the breach in a timely manner, and b) taking steps to prevent it from happening again. It certainly shows that the impact of data breaches can take a long time to resolve. 258 days may be the mean time it takes defenders to identify and contain a breach, but that’s not the end of the potential impact of one – by a long shot.

So, what do you think? Does your organization have a formal incident response plan? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.