The state of Washington has filed a lawsuit against T-Mobile, alleging that the phone giant failed to protect the personal data of millions of state residents, leading to a massive data breach in August 2021 that affected over 79 million customers across the United States.

According to Washington Attorney General Bob Ferguson, T-Mobile "knew for years about certain cybersecurity vulnerabilities and did not do enough to address them." The lawsuit, filed in a Seattle federal court, seeks financial damages under the state's consumer protection laws and aims to order T-Mobile to improve its cybersecurity policies.

The August 2021 breach was not an isolated incident, as T-Mobile has experienced at least five security incidents since 2018, according to TechCrunch. The hack allowed a hacker to access T-Mobile's systems, exfiltrating customer names, dates of birth, Social Security numbers, and driver's license information. Some of the stolen data was later published on a known cybercriminal forum.

Ferguson accused T-Mobile of providing inadequate notice to affected customers following the breach, omitting critical information and downplaying the severity of the incident. This, Ferguson argued, affected the ability of consumers to assess their risk of identity theft or fraud.

"This significant data breach was entirely avoidable," Ferguson said in a press release. "T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed."

The lawsuit contains significant redactions, but the unredacted portions reveal alleged technical security deficiencies and internal company policies that may have made it easier for the hacker to access and download customer data from T-Mobile's servers. Specifically, the complaint notes that the hacker discovered an "easily guessable username and password," and that T-Mobile used weak credentials on accounts for accessing its internal systems.

Furthermore, the lawsuit alleges that T-Mobile allowed the connection from the threat actor's IP address from outside its network and did not implement rate-limiting on login attempts, allowing the hacker to freely test credentials without locking the employee accounts in question. The company's "inadequate monitoring and alerting configuration" also made it easier for the hacker to access T-Mobile's network without being noticed.

The suit also accuses T-Mobile of misrepresenting the adequacy of its cybersecurity defenses and the threat to its customers' data found on the dark web, and says the company's conduct "had the capacity to deceive a substantial number of Washington consumers."

A spokesperson for T-Mobile did not immediately comment on the lawsuit when reached on Monday. The lawsuit highlights the importance of robust cybersecurity measures and transparent communication in the event of a breach. As the tech industry continues to grapple with the growing threat of cyberattacks, this lawsuit serves as a reminder of the significant consequences of failing to prioritize customer data security.

The outcome of this lawsuit will be closely watched, as it may set a precedent for holding companies accountable for their cybersecurity practices. In the meantime, T-Mobile customers affected by the breach remain vulnerable to identity theft and fraud, underscoring the need for swift action to improve cybersecurity standards across the industry.