1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 1 of 34 Page ID #:1
`
`
`
`
`
`AYLSTOCK, WITKIN, KREIS &
`OVERHOLTZ, PLLC
`S. MARY LIU, ESQ. (SBN # 282884)
`17 East Main St, Suite 200
`Pensacola, FL32502
`Tel: 850-202-1010
`Fax: 760-304-8933
`Email: mliu@awkolaw.com
`
`BRADLEY/GROMBACHER, LLP
`Marcus J. Bradley, Esq. (SBN 174156)
`Kiley L. Grombacher, Esq. (SBN 245960)
`Lirit A. King, Esq. (SBN 252521)
`31365 Oak Crest Drive, Suite 240
`Westlake Village, California 91361
`Telephone: (805) 270-7100
`Facsimile: (805) 270-7589
`E-Mail: mbradley@bradleygrombacher.com
` kgrombacher@bradleygrombacher.com
` lking@bradleygrombacher.com
`
`
`Attorneys for Plaintiff
`
`UNITED STATES DISTRICT COURT
`CENTRAL DISTRICT OF CALIFORNIA
`CASE NO:
`JENNIFER BAUGHMAN, an
`individual, and on behalf of classes of
`CLASS ACTION
`similarly situated individuals,
`COMPLAINT FOR:
` Plaintiff,
`1. NEGLIGENCE;
`
`v.
`2. UNJUST ENRICHMENT;
`T-Mobile US, Inc.,
`3. BREACH OF EXPRESS
`CONTRACT;
` Defendant.
`4. BREACH OF IMPLIED
`CONTRACT; AND
`5. INVASION OF PRIVACY.
`Demand for a jury trial
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 2 of 34 Page ID #:2
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Plaintiff Jennifer Baughman (“Plaintiff”) brings this Class Action Complaint
`against T-Mobile US, Inc. (“Defendant”), in her individual capacity and on behalf
`of all others similarly situated, and alleges, upon personal knowledge as to her own
`actions and her counsels’ investigations, and upon information and belief as to all
`other matters, as follows:
`
`INTRODUCTION
`This is a class action for damages with respect to Defendant T-Mobile
`1.
`US, Inc. and its failure to exercise reasonable care in securing sensitive personal
`information including without limitation, unencrypted and unredacted name, contact
`and demographic information, and date of birth (collectively, “personal identifiable
`information” or “PII”).
`Plaintiff seeks damages for herself and other similarly situated current
`2.
`and former student loan borrowers (“borrowers”), or any other person(s) impacted in
`the data breach at issue (“Class Members”), as well as other equitable relief,
`including, without limitation, injunctive relief designed to protect the very sensitive
`information of Plaintiff and other Class Members.
`On or about January 20, 2023, Defendant notified Plaintiff and Class
`3.
`Members about a widespread data breach involving sensitive PII. The number of
`individuals affected has been estimated to impact 37 million customers by Defendant,
`however, because Defendant is one of the largest technology companies, the breach
`could have involved hundreds of millions of users. Defendant discovered that files
`on its network were accessed and acquired by the unauthorized actor (the “Data
`Breach”).
`Plaintiff and the Class Members in this action were, upon information
`4.
`and belief, current and former Defendant users with their PII on Defendant’s system.
`Upon information and belief, the first that Plaintiff and the Class Members learned
`of the Data Breach was when they saw news reports of the Data Breach on
`approximately January 20, 2023.
`
`
`
`1
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 3 of 34 Page ID #:3
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`The Data Breach affected individuals whose information was stored on
`5.
`Defendant’s servers in multiple states.
`In this era of frequent data security attacks and data breaches,
`6.
`particularly in the technology industry, Defendant’s failures leading to the Data
`Breach are particularly egregious, as this Data Breach was highly foreseeable.
`Upon information and belief, Plaintiff’s and Class Members’ PII was
`7.
`unencrypted and unredacted PII and was compromised due to Defendant’s negligent
`and/or careless acts and omissions.
`As a result of the Data Breach, Plaintiff and the Class Members are at
`8.
`an imminent risk of identity theft.
`Plaintiff and Class Members have suffered numerous actual and
`9.
`concrete injuries as a direct result of the Data Breach, including: (a) invasion of
`privacy; (b) financial costs incurred mitigating the materialized risk and imminent
`threat of identity theft; (c) loss of time and loss of productivity incurred mitigating
`the materialized risk and imminent threat of identity theft; (d) financial costs incurred
`due to actual identity theft; (e) loss of time incurred due to actual identity theft; (f)
`loss of time heeding Defendant’s warnings and following its instructions in the
`Notice Letter; (g) the loss of benefit of the bargain (price premium damages), to the
`extent Class Members paid Defendant for services; (h) deprivation of value of their
`PII; and (i) the continued risk to their Sensitive Information, which remains in the
`possession of Defendant, and which is subject to further breaches, so long as
`Defendant fails to undertake appropriate and adequate measures to protect Plaintiff’s
`and Class Members’ Sensitive Information.
`10. Plaintiff seeks to remedy these harms, and to prevent the future
`occurrence of an additional data breach, on behalf of themselves and all similarly
`situated persons whose PII was compromised as a result of the Data Breach. Plaintiff
`seeks remedies including, but not limited to, compensatory damages, reimbursement
`for loss of time, reimbursement of opportunity costs, out-of-pocket costs, price
`
`
`
`2
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 4 of 34 Page ID #:4
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`premium damages, and injunctive relief including improvements to Defendant’s data
`security systems and protocols, future annual audits, and adequate credit monitoring
`services funded by the Defendant.
`
`PARTIES
`11. Plaintiff Jennifer Baughman is a resident and citizen of California,
`residing at all relevant times in Los Angeles county.
`12. Defendants T-Mobile US, Inc. and its wholly-owned subsidiary T-
`Mobile USA, Inc. (“Defendant” or “T-Mobile”) are a telecommunications company
`that provides wireless voice, messaging, and data services along with mobile phones
`and accessories. T-Mobile is headquartered in Bellevue, Washington and Overland
`Park, Kansas in the Kansas City Metropolitan area, and is incorporated under the
`laws of the State of Delaware
`13. All of Plaintiff’s claims stated herein are asserted against Defendant and
`any of its owners, predecessors, successors, subsidiaries, agents and/or assigns.
`JURISDICTION AND VENUE
`14. This Court has subject matter jurisdiction of this action pursuant to 28
`U.S.C. § 1332, the Class Action Fairness Act of 2005 because: (i) there are 100 or
`more class members, (ii) there is an aggregate amount in controversy exceeding
`$5,000,000, exclusive of interest and costs, and (iii) there is minimal diversity
`because at least one Plaintiff (FL) and Defendant are citizens of different states. This
`Court has supplemental jurisdiction over any state law claims pursuant to 28 U.S.C.
`§ 1367.
`15. This Court has personal jurisdiction over T-Mobile because it is
`authorized to and regularly conducts business in the State of California. T-Mobile
`sells, markets, and advertises its products and services to Plaintiffs and Class
`Members located in the State of California and, therefore, has sufficient minimum
`contacts to render the exercise of jurisdiction by this Court proper and necessary.
`16. Pursuant to 28 U.S.C. § 1391, this Court is the proper venue for this
`
`
`
`3
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 5 of 34 Page ID #:5
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`action because a substantial part of the events, omissions, and acts giving rise to the
`claims herein occurred in this District: Class members affected by the breach reside
`in this District and Defendant employs numerous people in this District.
`FACTUAL ALLEGATIONS
`17. Defendant operates its business nationwide offering various types of
`technological products and services.
`18. Plaintiff and the Class Members, as current or former T-Mobile users,
`reasonably relied (directly or indirectly) on this sophisticated technology company to
`keep their sensitive PII confidential; to maintain its system security; to use this
`information for business purposes only; and to make only authorized disclosures of
`their PII. Borrowers, in general, demand security to safeguard their PII, especially
`when financial information and other sensitive PII is involved.
`19. On or about January 20, 2023, Defendant made an announcement about
`a widespread data breach of its computer network involving the sensitive personally
`identifiable information of consumers.
`20. According to news reports: “A ‘bad actor’ stole personal information
`from approximately 37 million T-Mobile customers in a November data breach.”1
`In a filing with the Securities and Exchange Committee: “T-Mobile said
`21.
`the hack was discovered on Jan. 5. The unidentified hacker (or hackers) obtained data
`starting around Nov. 25 through a single Application Programming Interface, the
`company said.”2
`22. Plaintiff and Class Members in this action were, upon information and
`belief, current and former T-Mobile users whose PII was utilized by Defendant for
`purposes of providing products and services. Plaintiff and Class Members first
`learned of the Data Breach when they saw news reports of the Data Breach on or
`about January 20, 2023.
`
`1 https://www.usatoday.com/story/tech/2023/01/20/tmobile-data-hack-37-million-customers/11088603002/
`2 Id .
`
`
`
`4
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 6 of 34 Page ID #:6
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`23. Upon information and belief, Defendant did not use reasonable security
`procedures and practices appropriate to the nature of the sensitive, unencrypted
`information it was maintaining, causing Plaintiff’s and Class Members’ PII to be
`exposed.
`24. Upon information and belief, the cyberattack was expressly designed to
`gain access to private and confidential data, including (among other things) the PII
`of Plaintiff and the Class Members.
`25. Defendant could have prevented this Data Breach by properly
`encrypting or otherwise implementing policies, procedures and computer data
`security programs that provided the level of protection reasonably necessary for a
`company of this sophistication and the custodian of large amounts of PII.
`In the course and scope of its provision of services and products,
`26.
`Defendant collects massive amounts of highly sensitive PII, including but not limited
`to, name, contact and demographic information, date of birth.
`27. Collecting, maintaining, and protecting PII is vital to virtually all of
`Defendant’s business purposes, and Defendant benefits from the acquisition, use, and
`storage of the PII.
`28. Plaintiff and Class Members entrusted their PII to Defendant on the
`premise and with the understanding that Defendant would safeguard their
`information, use their PII for business purposes only, and/or not disclose their PII to
`unauthorized third parties, and/or only retain PII for necessary business purposes and
`for a reasonable amount of time.
`It is well known that PII, including name and contact information in
`29.
`particular, is an invaluable commodity and a frequent target of hackers.
`In light of recent high profile data breaches at other industry leading
`30.
`companies, including, Microsoft (250 million records, December 2019), Wattpad
`(268 million records, June 2020), Facebook (267 million users, April 2020), Estee
`Lauder (440 million records, January 2020), Whisper (900 million records, March
`
`
`
`5
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 7 of 34 Page ID #:7
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`2020), and Advanced Info Service (8.3 billion records, May 2020), Defendant knew
`or should have known that its systems would be targeted by cybercriminals. In fact,
`earlier this year, Defendant was the target of a massive security breach orchestrated
`by the ransomware criminal enterprise “Lapsus$”, which resulted in the theft of
`nearly 200GB of highly sensitive internal data.3
`Indeed, cyberattacks against the technology industry have been common
`31.
`for over ten years with the FBI warning as early as 2011 that cybercriminals were
`“advancing their abilities to attack a system remotely” and “[o]nce a system is
`compromised, cyber criminals will use their accesses to obtain PII.” The FBI further
`warned that that “the increasing sophistication of cyber criminals will no doubt lead
`to an escalation in cyber crime.”4
`32. Moreover, it is well known that the specific PII at issue in this case,
`including names and contact information in particular, is a valuable commodity and
`a frequent target of hackers.
`33. As a sophisticated financial and lending entity that collects, utilizes, and
`stores particularly sensitive PII, Defendant was at all times fully aware of the
`increasing risks of cyber-attacks targeting the PII it controlled, and its obligation to
`protect the PII of Plaintiff and Class Members.
`34. The PII of consumers remains of high value to criminals, as evidenced
`by the prices they will pay through the Dark Web. Numerous sources cite Dark Web
`pricing for stolen identity credentials. For example, personal information can be sold
`at a price ranging from $40 to $200, and bank details have a price range of $50 to
`$200.
`
`35. According to the Dark Web Price Index for 2021, payment card details
`for an account balance up to $1,000 have an average market value of $150, credit
`
`3 Gareth Corfield, Lapsus$ extortionists dump Defendant data online, chaebol confirms security breach, THE
`REGISTER, Mar. 7, 2022, <https://www.theregister.com/2022/03/07/Defendant_lapsus_data_theft/>
`4 Gordon M. Snow, Statement before the House Financial Services Committee, Subcommittee on Financial
`Institutions and Consumer Credit, FBI (Sept. 14, 2011), https://archives.fbi.gov/archives/news/testimony/cyber-
`security-threats-to-the-financial-sector.
`
`
`
`6
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 8 of 34 Page ID #:8
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`card details with an account balance up to $5,000 have an average market value of
`$240, stolen online banking logins with a minimum of $100 on the account have an
`average market value of $40, and stolen online banking logins with a minimum of
`$2,000 on the account have an average market value of $120. Criminals can also
`purchase access to entire company data breaches from $900 to $4,500.
`36. A dishonest person who has your name and contact information can use
`it to get other personal information about you. A breach including this type of
`information places data breach victims at an increased risk of phishing and social
`engineering attacks, eventually leading to identity theft.
`37. This data, as one would expect, demands a much higher price on the
`black market. Martin Walter, senior director at cybersecurity firm RedSeal,
`explained, “[c]ompared
`to credit card
`information, personally
`identifiable
`information and Social Security Numbers are worth more than 10x in price on the
`black market.”
`38. Despite the prevalence of public announcements of data breach and data
`security compromises and its previous experience as the target of cyberattacks,
`Defendant failed to take appropriate steps to protect the PII of Plaintiff and the
`proposed Class from being compromised.
`39. Defendant had the resources necessary to prevent the Data Breach but
`neglected to adequately invest in security measures, despite its obligation to protect
`such information. Accordingly, Defendant breached its common law, statutory, and
`other duties owed to Plaintiff and Class Members.
`40. Security standards commonly accepted among businesses that store PII
`using the internet include, without limitation:
`a. Maintaining a secure firewall configuration;
`b. Maintaining appropriate design, systems, and controls to limit user
`access to certain information as necessary;
`c. Monitoring for suspicious or irregular traffic to servers;
`
`
`
`7
`CLASS ACTION COMPLAINT
`
`
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 9 of 34 Page ID #:9
`
`
`
`d. Monitoring for suspicious credentials used to access servers;
`e. Monitoring for suspicious or irregular activity by known users;
`f. Monitoring for suspicious or unknown users;
`g. Monitoring for suspicious or irregular server requests;
`h. Monitoring for server requests for PII;
`i. Monitoring for server requests from VPNs; and
`j. Monitoring for server requests from Tor exit nodes.
`41. Upon information and belief, Defendant failed to comply with one or
`more of these standards.
`42. The Federal Trade Commission (“FTC”) defines identity theft as “a
`fraud committed or attempted using the identifying information of another person
`without authority.”5 The FTC describes “identifying information” as “any name or
`number that may be used, alone or in conjunction with any other information, to
`identify a specific person,” including, among other things, “[n]ame, Social Security
`number, date of birth, official State or government issued driver’s license or
`identification number, alien registration number, government passport number,
`employer or taxpayer identification number.”6
`43. The Federal Trade Commission (“FTC”) has promulgated numerous
`guides for businesses which highlight the importance of implementing reasonable
`data security practices. According to the FTC, the need for data security should be
`factored into all business decision making.
`44. The FTC has brought well publicized enforcement actions against
`businesses for failing to adequately and reasonably protect consumer data, treating
`the failure to employ reasonable and appropriate measures to protect against
`unauthorized access to confidential consumer data as an unfair act or practice
`prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15 U.S.C.
`
`
`5 17 C.F.R. § 248.201 (2013).
`6 Id.
`
`
`8
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 10 of 34 Page ID #:10
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`§ 45. This includes the FTC’s enforcement action against Equifax following a
`massive data breach involving the personal and financial information of 147 million
`Americans.
`In 2016, the FTC updated its publication, “Protecting Personal
`45.
`Information: A Guide for Business,” which established cyber-security guidelines for
`businesses. There, the FTC advised that businesses should protect the PII that they
`keep by following some minimum standards related to data security, including,
`among others:
`(a) Encrypting information stored on computer networks;
`Identifying network vulnerabilities;
`(b)
`(c)
`Implementing policies to update and correct any security
`problems;
`(d) Utilizing an intrusion detection systems;
`(e) Monitor all incoming traffic for suspicious activity indicating
`someone is attempting to hack the system;
`(f) Watching for large amounts of data being transmitted from the
`system;
`(g) Developing a response plan ready in the event of a breach;
`(h) Limiting employee and vendor access to sensitive data;
`Requiting complex passwords to be used on networks;
`(i)
`(j) Utilizing industry-tested methods for security;
`(k) Verifying that third-party service providers have implemented
`reasonable security measures;
`Educating and training employees on data security practices;
`Implementing multi-layer security including firewalls, anti-virus,
`and anti-malware software;
`Implementing multi-factor authentication.
`(n)
`46. Upon information and belief, Defendant failed to implement or
`
`(l)
`(m)
`
`
`
`9
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 11 of 34 Page ID #:11
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`adequately implement at least one of these fundamental data security practices.
`47. Defendant’s failure constitutes an unfair act or practice prohibited by
`Section 5 of the FTCA.
`48. As a result of Defendant’s ineffective and inadequate data security and
`retention measures, the Data Breach, and the foreseeable consequences of the PII
`ending up in the possession of criminals, the risk of identity theft is materialized and
`imminent.
`49. Given the type of targeted attack in this case, the sophisticated criminal
`activity, and the type of PII, there is a strong probability that entire batches of stolen
`information have been placed, or will be placed, on the black market/Dark Web for
`sale and purchase by criminals intending to utilize the PII for identity theft crimes,
`such as opening bank accounts in the victims’ names to make purchases or to launder
`money; file false tax returns; or file false unemployment claims.
`50. Furthermore, the information accessed and disseminated in the Data
`Breach is significantly more valuable than the loss of, for example, credit card
`information in a retailer data breach, where victims can easily cancel or close credit
`and debit card accounts. The information disclosed in this Data Breach is impossible
`to “close” and difficult, if not impossible, to change (such as names and contact
`information).
`51. There may be a time lag between when harm occurs versus when it is
`discovered, and also between when PII is stolen and when it is used. The fraudulent
`activity resulting from the Data Breach may not become evident for years.
`Indeed, “[t]he risk level is growing for anyone whose information is
`52.
`stolen in a data breach.” Moreover, there is a high likelihood that significant identity
`fraud and/or identity theft has not yet been discovered or reported. Even data that
`have not yet been exploited by cybercriminals bears a high risk that the
`cybercriminals who now possess Class Members’ PII will do so at a later date or re-
`sell it.
`
`
`
`10
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 12 of 34 Page ID #:12
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`53. To date, Defendant has done little to adequately protect Plaintiff and
`Class Members, or to compensate them for their injuries sustained in this data breach.
`54. Thus, due to the actual and imminent risk of identity theft, Plaintiff and
`Class Members must, in Defendant’s words, “remain vigilant” and monitor their
`financial accounts for many years to mitigate the risk of identity theft.
`55. Plaintiff and Class Members have spent, and will spend additional time
`in the future, on a variety of prudent actions, such as placing “freezes” and “alerts”
`with credit reporting agencies, contacting financial institutions, closing or modifying
`financial accounts, changing passwords, reviewing and monitoring credit reports and
`accounts for unauthorized activity, and filing police reports, which may take years to
`discover and detect.
`56. Plaintiff’s mitigation efforts are consistent with the U.S. Government
`Accountability Office that released a report in 2007 regarding data breaches (“GAO
`Report”) in which it noted that victims of identity theft will face “substantial costs
`and time to repair the damage to their good name and credit record.”
`57. Plaintiff’s mitigation efforts are also consistent with the steps that the
`FTC recommends that data breach victims take to protect their personal and financial
`information after a data breach, including: contacting one of the credit bureaus to
`place a fraud alert (consider an extended fraud alert that lasts for seven years if
`someone steals their identity), reviewing their credit reports, contacting companies
`to remove fraudulent charges from their accounts, placing a credit freeze on their
`credit, and correcting their credit reports.
`58. Furthermore, Defendant’s poor data security deprived Plaintiff and
`Class Members of the benefit of their bargain. When agreeing to pay Defendant or
`its clients for services, Plaintiff and other reasonable consumers understood and
`expected that they were paying for services and data security, when in fact, Defendant
`did not provide the expected data security. Accordingly, Plaintiff and Class Members
`received services that were of a lesser value than what they reasonably expected.
`
`
`
`11
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 13 of 34 Page ID #:13
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`59. As a result of Defendant’s ineffective and inadequate data security and
`retention measures, the Data Breach, and the imminent risk of identity theft, Plaintiff
`and Class Members have suffered numerous actual and concrete injuries, including:
`(a) invasion of privacy; (b) financial “out of pocket” costs incurred mitigating the
`materialized risk and imminent threat of identity theft; (c) loss of time and loss of
`productivity incurred mitigating the materialized risk and imminent threat of identity
`theft risk; (d) financial “out of pocket” costs incurred due to actual identity theft; (e)
`loss of time incurred due to actual identity theft; (f) loss of time due to increased
`spam and targeted marketing emails; (g) the loss of benefit of the bargain (price
`premium damages); (h) deprivation of value of their PII; and (i) the continued risk to
`their PII, which remains in the possession of Defendant, and which is subject to
`further breaches, so long as Defendant fails to undertake appropriate and adequate
`measures to protect Plaintiff’s and Class Members’ Sensitive Information.
`60. Plaintiff Baughman provided her personal information to Defendant
`and/or its affiliates in conjunction with product and services Plaintiff obtained.
`61. As part of her involvement with Defendant, Plaintiff entrusted her PII,
`and other confidential information such as name, address, phone number, financial
`account information, and other personally identifiable information to Defendant and
`its affiliates with the reasonable expectation and understanding that they would at
`least take industry standard precautions to protect, maintain, and safeguard that
`information from unauthorized use or disclosure, and would timely notify her of any
`data security incidents related to her. Plaintiff would not have permitted her PII to be
`given to Defendant had she known it would not take reasonable steps to safeguard
`her PII.
`62. As a result of the Data Breach, Plaintiff Baughman has or will make
`reasonable efforts to mitigate the impact of the Data Breach, including but not limited
`to researching the Data Breach, reviewing credit reports, financial account
`statements, and/or personal records for any indications of actual or attempted identity
`
`
`
`12
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 14 of 34 Page ID #:14
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`theft or fraud.
`63. Plaintiff Baughman suffered actual injury from having her PII
`compromised as a result of the Data Breach including, but not limited to (a) damage
`to and diminution in the value of her PII, a form of property that Defendant obtained
`from Plaintiff; (b) violation of her privacy rights; (c) the theft of her PII; and (d)
`imminent and impending injury arising from the increased risk of identity theft and
`fraud.
`64. As a result of the Data Breach, Plaintiff Baughman is very concerned
`about identity theft and fraud, as well as the consequences of such identity theft and
`fraud resulting from the Data Breach.
`65. The Data Breach has caused Plaintiff Baughman to suffer significant
`fear, anxiety, and stress, which has been compounded by the fact that her name and
`contact information and other intimate details are in the hands of criminals.
`66. As a result of the Data Breach, Plaintiff Baughman anticipates spending
`considerable time and/or money on an ongoing basis to try to mitigate and address
`harms caused by the Data Breach. In addition, Plaintiff Baughman will continue to
`be at present, imminent, and continued increased risk of identity theft and fraud for
`years to come. In fact, Plaintiff Baughman has received an increased number of spam
`calls, texts and emails.
`67. Plaintiff Baughman has a continuing interest in ensuring that her PII,
`which, upon information and belief, remains in Defendant’s possession, is protected
`and safeguarded from future breaches.
`CLASS ALLEGATIONS
`68. Plaintiff brings this class action on behalf of herself and on behalf of all
`others similarly situated.
`69. The Nationwide Class that Plaintiff seeks to represent is defined as
`follows:
`
`
`
`
`13
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 15 of 34 Page ID #:15
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`in the United States whose PII was
`All persons residing
`compromised in the data breach announced by Defendant, T-
`Mobile, US, Inc. in January 2023. (the “Nationwide Class”).
`70. The California Class that Plaintiff seeks to represent is defined as
`follows:
`All persons residing in the state of California whose PII was
`compromised in the data breach announced by Defendant T-Mobile
`US, Inc. in January 2023. (the “California Class”).
`71. Excluded from the Classes are the following individuals and/or entities:
`Defendant T-Mobile, US, Inc., and Defendant’s parents, subsidiaries, affiliates,
`officers and directors, and any entity in which Defendant has a controlling interest;
`all individuals who make a timely election to be excluded from this proceeding using
`the correct protocol for opting out; any and all federal, state or local governments,
`including but not limited to their departments, agencies, divisions, bureaus, boards,
`sections, groups, counsels and/or subdivisions; and all judges assigned to hear any
`aspect of this litigation, as well as their immediate family members.
`72. Plaintiff reserves the right to modify or amend the definition of the
`proposed class and any future subclass before the Court determines whether
`certification is appropriate.
`73. Numerosity, Fed R. Civ. P. 23(a)(1): Class Members are so numerous
`that joinder of all members is impracticable. Upon information and belief, there are
`thousands, if not millions, of individuals whose Private Information may have been
`improperly accessed in the Data Breach, and the Class is apparently identifiable
`within Defendant’s records.
`74. Commonality, Fed. R. Civ. P. 23(a)(2) and (b)(3): Questions of law and
`fact common to the Class exists and predominates over any questions affecting only
`individual Class Members. These include:
`a. Whether and to what extent Defendant had a duty to protect Plaintiff’s
`and Class Members’ PII;
`b. Whether Defendant had duties not to disclose the Plaintiff’s and Class
`14
`
`CLASS ACTION COMPLAINT
`
`
`
`

`

`Case 2:23-cv-00477 Document 1 Filed 01/22/23 Page 16 of 34 Page ID #:16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Members’ PII to unauthorized third parties;
`c. Whether Defendant had duties not to use Plaintiff’s and Class Members’
`PII for non-business purpose