After Consolidation, T-Mobile Subscribers File Amended Complaint in Data Breach MDL

The 338-page consolidated class action complaint filed last week marked the formal advent of litigation by T-Mobile customers from all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands against the wireless carrier over the “one of the largest and most consequential data breaches in U.S. history.” The complaint seeks to hold T-Mobile US Inc. and wholly-owned subsidiary T-Mobile USA accountable for their alleged failure to prevent the breach and inadequate response thereto in the 95-count pleading.

As previously reported, the case concerns the August 2021 incident, exfiltrating and compromising more than 75 million customers and potential customers’ personally-identifiable information (PII) including Social Security number and T-Mobile account information. Last December, the suit was consolidated by the Judicial Panel on Multidistrict Litigation before Judge Brian C. Wimes in Kansas City, Mo.

The class action complaint provides details about the breach. Sometime last year, John Erin Binns, an American in his early twenties living in Turkey, reportedly used a simple software tool to scan T-Mobile’s known internet addresses for weak points. He found one, namely a misconfigured Gateway GPRS Support Node (GGSN) through which he gained access to T-Mobile’s internal network. 

Once inside, he eventually obtained access to production servers, found login credentials, and used those to break into more than 100 servers containing millions of customers’ PII. T-Mobile’s internal network had weak security because it reportedly had not employed a protection called “rate limiting,” an industry standard measure, the complaint said.

According to the filing, subsequent federal investigation showed that T-Mobile user data was for sale on the dark web, which T-Mobile attempted to buy back with a ransom. Yet, the complaint argues that the data has reached the hands of bad actors causing impacted customers and potential customers to worry about identity theft and related cybercrimes. The plaintiffs further assert that T-Mobile’s disclosure of the breach was inadequate and the remedial measures offered, including two years of identity protection services, fall short.

The lawsuit states claims for consumer protection, tort, and contract law violations, seeks certification of a nationwide class and state subclasses, and requests injunctive relief and damages. Stueve Siegel Hanson LLP, Keller Rorhback L.L.P., and Hausfeld LLP are co-lead interim class counsel.