`FOR THE WESTERN DISTRICT OF MISSOURI
`
`
`IN RE: T-MOBILE CUSTOMER DATA
`SECURITY BREACH LITIGATION
`
`
`
`MDL No. 3019
`
`Master Case No. 4:21-MD-03019-BCW
`
`
`
`)
`)
`)
`)
`)
`)
`
`
`
`CONSOLIDATED CONSUMER CLASS ACTION COMPLAINT
`
`
`Norman E. Siegel
`STUEVE SIEGEL HANSON LLP
`460 Nichols Rd., Ste. 200
`Kansas City, MO 64112
`siegel@stuevesiegel.com
`
`
`Cari Campen Laufenberg
`KELLER ROHRBACK L.L.P.
`1201 3rd Ave., Ste. 3200
`Seattle, WA 98101
`claufenberg@kellerrohrback.com
`
`
`James J. Pizzirusso
`HAUSFELD LLP
`888 16th St. NW, Ste. 300
`Washington, DC 20006
`jpizzirusso@hausfeld.com
`
`Co-Lead Interim Class Counsel
`
`
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 1 of 338
`
`
`
`TABLE OF CONTENTS
`
`INTRODUCTION .......................................................................................................................... 1
`
`JURISDICTION AND VENUE ..................................................................................................... 1
`
`PLAINTIFFS .................................................................................................................................. 2
`
`STATEMENT OF FACTS ........................................................................................................... 36
`
`CLASS ACTION ALLEGATIONS ............................................................................................. 65
`
`CLAIMS ON BEHALF OF THE NATIONWIDE CLASS ......................................................... 71
`
`CLAIMS ON BEHALF OF THE STATE SUBCLASSES .......................................................... 91
`
`REQUEST FOR RELIEF ........................................................................................................... 331
`
`
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 2 of 338
`
`
`
`INTRODUCTION
`
`“You can trust us to do the right thing with your data.”
`
`
`
`1.
`
`With over 100 million customers, T-Mobile is one of the largest consumer brands
`
`in the United States. It collects vast troves of personal information from its customers and
`
`prospective customers and profits from that data through its own marketing efforts and by selling
`
`sensitive consumer information to third parties. T-Mobile understood it had an enormous
`
`responsibility to protect the data it collected and assured consumers through its Privacy Policy
`
`that T-Mobile uses “administrative, technical, contractual, and physical safeguards designed to
`
`protect your data while it is under our control.” Its Privacy Center likewise assured consumers
`
`that “[w]ith T‑Mobile, you don’t have to worry,” “[w]e’ve got your back,” and “you can trust us
`
`to do the right thing with your data.” But, as T-Mobile admitted, it completely failed to meet
`
`these obligations and protect sensitive consumer data. Instead, T-Mobile suffered one of the
`
`largest and most consequential data breaches in U.S. history, compromising the sensitive
`
`personal information of over 75 million consumers.
`
`JURISDICTION AND VENUE
`
`2.
`
`This Court has subject matter jurisdiction pursuant to the Class Action Fairness
`
`Act of 2005, 28 U.S.C. § 1332(d)(2), because this is a class action in which the matter in
`
`controversy exceeds the sum of $5,000,000, there are more than 100 proposed Class Members,
`
`and minimal diversity exists as Defendant is a citizen of States different from that of at least one
`
`Class member. This Court also has supplemental jurisdiction pursuant to 28 U.S.C. § 1367(a)
`
`because all claims alleged herein form part of the same case or controversy.
`
`3.
`
`This Court has personal jurisdiction over T-Mobile because it is authorized to and
`
`regularly conducts business in the State of Missouri. T-Mobile sells, markets, and advertises its
`
`products and services to Plaintiffs and Class Members located in the State of Missouri and,
`
`1
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 3 of 338
`
`
`
`therefore, has sufficient minimum contacts to render the exercise of jurisdiction by this Court
`
`proper and necessary. Moreover, T-Mobile specifically requested the case be transferred to this
`
`District.
`
`4.
`
`Venue is proper in this District pursuant to 28 U.S.C. § 1407 and the January 31,
`
`2022, Transfer Order of the Judicial Panel on Multidistrict Litigation in MDL 3019 or, in the
`
`alternative, pursuant to 28 U.S.C. § 1391 because Defendant transacts business and may be
`
`found in this District.
`
`DEFENDANT
`
`5.
`
`Defendants T-Mobile US, Inc. and its wholly-owned subsidiary T-Mobile USA,
`
`Inc. (“Defendant” or “T-Mobile”) are a telecommunications company that provides wireless
`
`voice, messaging, and data services along with mobile phones and accessories. T-Mobile is
`
`headquartered in Bellevue, Washington and Overland Park, Kansas in the Kansas City
`
`Metropolitan area, and is incorporated under the laws of the State of Delaware.
`
`PLAINTIFFS
`
`6.
`
`Plaintiffs are individuals who, upon information and belief, had their personally-
`
`identifiable information (“PII”)1 exfiltrated and compromised in the data breach announced by T-
`
`Mobile on August 16, 2021 (the “Data Breach”), and they bring this action on behalf of
`
`themselves and all those similarly situated both across the United States and within their State
`
`residence. The following allegations are made upon information and belief derived from, among
`
`other things, investigation of counsel, public sources, and the facts and circumstances as
`
`currently known. Because only T-Mobile (and the hackers) have knowledge of what information
`
`
`1 PII is information that is used to confirm an individual’s identity and can include an
`individual’s name, Social Security number, driver’s license number, phone number, financial
`information, and other identifying information unique to an individual. For T-Mobile, this
`information also includes unique technical identifiers tethered to customers’ mobile phones.
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 4 of 338
`
`2
`
`
`
`was compromised for each individual Plaintiff, Plaintiffs reserve their right to supplement their
`
`allegations with additional facts and injuries as they are discovered.
`
`7.
`
`Plaintiffs place significant value in the security of their PII. Plaintiffs entrusted
`
`their sensitive PII to T-Mobile with the understanding that T-Mobile would keep their
`
`information secure and employ reasonable and adequate security measures to ensure that it
`
`would not be compromised. If Plaintiffs had known of T-Mobile’s lax security practices with
`
`respect to Plaintiffs’ PII, they would not have done business with T-Mobile, would not have
`
`applied for T-Mobile’s services or purchased its products, would not have opened, used, or
`
`continued to use T-Mobile’s cell phone and other telecommunications-related services at the
`
`applicable rates and on the applicable terms, or would have paid less because of the diminished
`
`value of T-Mobile’s services.
`
`ALABAMA
`
`8.
`
`Plaintiff Dana Snider is a resident of the State of Alabama and is a current
`
`customer of T-Mobile. Plaintiff Snider was notified by a third-party monitoring company that her
`
`PII was located on the dark web as a result of the T-Mobile Data Breach. In addition, as a result
`
`of the breach, Plaintiff Snider spent time and effort researching the breach and monitoring her
`
`accounts for fraudulent activity. Given the highly-sensitive nature of the information stolen, and
`
`its subsequent dissemination to unauthorized parties, Plaintiff Snider has already suffered injury
`
`and remains at a substantial and imminent risk of future harm.
`
`ARIZONA
`
`9.
`
`Plaintiff Tonya Bauer is a resident of the State of Arizona and is a current
`
`customer of T-Mobile. Plaintiff Bauer was notified by T-Mobile that her PII was compromised
`
`in the T-Mobile Data Breach. As a result of the breach, Plaintiff Bauer has suffered fraud in the
`
`form of unauthorized attempted bank transfers. As a result of this fraud, Plaintiff Bauer spent
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 5 of 338
`
`3
`
`
`
`time at her bank addressing the unauthorized activity. Plaintiff Bauer also placed a fraud alert on
`
`her credit file with the credit bureaus. In addition, as a result of the breach, Plaintiff Bauer spent
`
`time and effort researching the breach and monitoring her accounts for fraudulent activity. Given
`
`the highly-sensitive nature of the information stolen, and its subsequent dissemination to
`
`unauthorized parties, Plaintiff Bauer has already suffered injury and remains at a substantial and
`
`imminent risk of future harm.
`
`10.
`
`Plaintiff Oscar Gonzalez is a resident of the State of Arizona and is a current
`
`customer of T-Mobile. Plaintiff Gonzalez was notified by a third-party monitoring company that
`
`his PII was located on the dark web as a result of the T-Mobile Data Breach. As a result of the
`
`breach, Plaintiff Gonzalez has suffered fraud in the form of an unknown loan or debt applied for
`
`in his name which appeared on his credit reports following the breach. As a result of this fraud,
`
`Plaintiff Gonzalez spent several hours over the course of two days investigating the breach and
`
`fraudulent account listed on his credit report. Given the highly-sensitive nature of the
`
`information stolen, and its subsequent dissemination to unauthorized parties, Plaintiff Gonzalez
`
`has already suffered injury and remains at a substantial and imminent risk of future harm.
`
`ARKANSAS
`
`11.
`
`Plaintiff George Markham is a resident of the State of Arkansas and is a current
`
`customer of T-Mobile. Plaintiff Markham was notified by T-Mobile that his PII was
`
`compromised in the T-Mobile Data Breach. As a result of the breach, Plaintiff Markham spent
`
`time and effort researching the breach and monitoring his accounts for fraudulent activity. Given
`
`the highly-sensitive nature of the information stolen, and its subsequent dissemination to
`
`unauthorized parties, Plaintiff Markham has already suffered injury and remains at a substantial
`
`and imminent risk of future harm.
`
`
`
`
`
`
`
`4
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 6 of 338
`
`
`
`CALIFORNIA
`
`12.
`
`Plaintiff Jill Kobernick is a resident of the State of California and is a former
`
`customer of T-Mobile. Plaintiff Kobernick works as a property assistant, procuring and
`
`managing props for TV shows. On two occasions years ago, she purchased SIM cards from T-
`
`Mobile so that actors could receive calls and texts on set. Plaintiff Kobernick was notified by a
`
`third-party monitoring company that her PII was located on the dark web as a result of the T-
`
`Mobile Data Breach. Plaintiff Kobernick also froze her credit following the breach. In addition,
`
`as a result of the breach, Plaintiff Kobernick spent time and effort researching the breach and
`
`monitoring her accounts for fraudulent activity. Given the highly-sensitive nature of the
`
`information stolen, and its subsequent dissemination to unauthorized parties, Plaintiff Kobernick
`
`has already suffered injury and remains at a substantial and imminent risk of future harm.
`
`13.
`
`Plaintiff Daniel Strenfel is a resident of the State of California and is a current
`
`customer of T-Mobile. Plaintiff Strenfel was notified by T-Mobile that his PII was compromised
`
`in the T-Mobile Data Breach. As a result of the breach, Plaintiff Strenfel spent time and effort
`
`researching the breach and monitoring his accounts for fraudulent activity. Given the highly-
`
`sensitive nature of the information stolen, and its subsequent dissemination to unauthorized
`
`parties, Plaintiff Strenfel has already suffered injury and remains at a substantial and imminent
`
`risk of future harm.
`
`14.
`
`Plaintiff Henry Thang is a resident of the State of California and is a current
`
`customer of T-Mobile. Plaintiff Thang was notified by T-Mobile that his PII was compromised
`
`in the T-Mobile Data Breach. Plaintiff Thang was also notified by a third-party monitoring
`
`company that his PII was located on the dark web as a result of the T-Mobile Data Breach. As a
`
`result of the breach, Plaintiff Thang spent time and effort researching the breach and monitoring
`
`his accounts for fraudulent activity. Given the highly-sensitive nature of the information stolen,
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 7 of 338
`
`5
`
`
`
`and its subsequent dissemination to unauthorized parties, Plaintiff Thang has already suffered
`
`injury and remains at a substantial and imminent risk of future harm.
`
`COLORADO
`
`15.
`
`Plaintiff Park Sutton is a resident of the State of Colorado and is a current
`
`customer of T-Mobile. Plaintiff Sutton was notified by T-Mobile that his PII was compromised
`
`in the T-Mobile Data Breach. As a result of the breach, Plaintiff Sutton has suffered fraud in the
`
`form of fraudulent calls from persons posing as his internet providers and asking for personal
`
`identifying information and then changing his T-Mobile account password, and attempting to
`
`change his Coinbase, Amazon, and other account passwords. As a result of this fraud, Plaintiff
`
`Sutton spent time calling T-Mobile, his bank, and his internet provider, and responding to
`
`numerous attempts to change his passwords. In addition, as a result of the breach, Plaintiff Sutton
`
`spent time and effort researching the breach and monitoring his accounts for fraudulent activity.
`
`Given the highly-sensitive nature of the information stolen, and its subsequent dissemination to
`
`unauthorized parties, Plaintiff Sutton has already suffered injury and remains at a substantial and
`
`imminent risk of future harm.
`
`16.
`
`Plaintiff Deric Prescott resides in the State of Colorado and is a current customer
`
`of T-Mobile. Plaintiff Prescott was notified by T-Mobile that his PII was compromised in the T-
`
`Mobile Data Breach. Plaintiff Prescott was also notified by a third-party monitoring company
`
`that his PII was located on the dark web as a result of the T-Mobile Data Breach. In addition, as a
`
`result of the breach, Plaintiff Prescott spent time and effort researching the breach and
`
`monitoring his accounts for fraudulent activity. Given the highly-sensitive nature of the
`
`information stolen, and its subsequent dissemination to unauthorized parties, Plaintiff Prescott
`
`has already suffered injury and remains at a substantial and imminent risk of future harm.
`
`
`
`
`
`
`
`6
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 8 of 338
`
`
`
`CONNECTICUT
`
`17.
`
`Plaintiff Robert Taylor is a resident of the State of Connecticut and is a former
`
`customer of T-Mobile. As a former customer of T-Mobile, Plaintiff Taylor believes his PII was
`
`compromised in the T-Mobile Data Breach. Prior to the breach, Plaintiff Taylor purchased credit
`
`monitoring from Norton at a cost of approximately $9.00 per month. As a result of the breach,
`
`Plaintiff Taylor will need to continue paying for the service indefinitely in order to mitigate
`
`against harm. In addition, as a result of the breach, Plaintiff Taylor spent time and effort
`
`researching the breach and monitoring his accounts for fraudulent activity. Given the highly-
`
`sensitive nature of the information stolen, and its subsequent dissemination to unauthorized
`
`parties, Plaintiff Taylor already suffered injury and remains at a substantial and imminent risk of
`
`future harm.
`
`DELAWARE
`
`18.
`
`Plaintiff William Lambert is a resident of the State of Delaware and is a current
`
`customer of T-Mobile. Plaintiff Lambert was notified by T-Mobile that his PII was compromised
`
`in the T-Mobile Data Breach. Plaintiff Lambert was also notified by McAfee that his PII was
`
`located on the dark web as a result of the T-Mobile Data Breach. As a result of the breach,
`
`Plaintiff Lambert has suffered identity theft and fraud in the form of multiple unauthorized
`
`attempts to receive unemployment from the State of Pennsylvania and State of Delaware by
`
`submitting unauthorized, fraudulent applications using Plaintiff Lambert’s PII. As a result of this
`
`identity theft and fraud, Plaintiff Lambert spent time filing a report with the relevant
`
`administrative agencies in Pennsylvania and Delaware, respectively. As a result of the breach,
`
`Plaintiff spent time researching ways to protect his PII, speaking with the Social Security
`
`Administration to lock his social security number, monitoring his credit and bank accounts for
`
`additional fraud, as well as ongoing attempts to resolve the unemployment fraud. Given the
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 9 of 338
`
`7
`
`
`
`highly-sensitive nature of the information stolen, and its subsequent dissemination to
`
`unauthorized parties, Plaintiff Lambert has already suffered injury and remains at a substantial
`
`and imminent risk of future harm.
`
`DISTRICT OF COLUMBIA
`
`19.
`
`Plaintiff Alexis Grant is a resident of the District of Columbia and is a current
`
`customer of T-Mobile. As a current customer of T-Mobile, Plaintiff Grant believes her PII was
`
`compromised in the T-Mobile Data Breach. As a result of the breach, Plaintiff Grant has suffered
`
`identity theft in the form of unauthorized attempts to change passwords for several of her
`
`accounts, including email accounts, social media accounts, bank accounts and certain electronic
`
`payment accounts and access those accounts without her authorization. As a result of this
`
`identity theft, Plaintiff Grant spent time changing passwords and monitoring her accounts for
`
`suspicious activity. Given the highly-sensitive nature of the information stolen, and its
`
`subsequent dissemination to unauthorized parties, Plaintiff Grant has already suffered injury and
`
`remains at a substantial and imminent risk of future harm.
`
`20.
`
`Plaintiff Sam Huxley is a resident of the District of Columbia and is a current
`
`customer of T-Mobile. Plaintiff Huxley was notified by T-Mobile that his PII was compromised
`
`in the T-Mobile Data Breach. Prior to the breach, Plaintiff Huxley purchased credit monitoring
`
`and identity theft protection services from Experian at a cost of approximately $105 annually. As
`
`a result of the breach, Plaintiff Huxley will need to continue paying for the credit monitoring and
`
`identity theft protection services indefinitely in order to mitigate against harm. In addition, as a
`
`result of the breach, Plaintiff Huxley spent time and effort researching the breach and monitoring
`
`his accounts for fraudulent activity. Given the highly-sensitive nature of the information stolen,
`
`and its subsequent dissemination to unauthorized parties, Plaintiff Huxley has already suffered
`
`injury and remains at a substantial and imminent risk of future harm.
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 10 of 338
`
`8
`
`
`
`FLORIDA
`
`21.
`
`Plaintiff Nora Liz Garcia Nater is a resident of the State of Florida and applied for
`
`services with T-Mobile but never became a T-Mobile customer. Plaintiff Garcia Nater was
`
`notified by a third-party monitoring company that her PII was located on the dark web as a result
`
`of the T-Mobile Data Breach. As a result of the breach, Plaintiff Garcia Nater has suffered fraud
`
`in the form of several unauthorized credit applications filed in her name, including credit
`
`applications through American Express and Figured. Plaintiff Garcia Nater’s credit score has
`
`dropped as a result of these fraudulent applications, which were reflected on her credit report. As
`
`a result of these unauthorized, fraudulent applications, Plaintiff Garcia Nater was unable to
`
`secure several lines of credit for her businesses and in her personal capacity, including through
`
`Chase. Plaintiff Garcia Nater has attempted to change her Social Security number as a result of
`
`the fraudulent applications submitted in her name. Plaintiff Garcia Nater has also frozen her
`
`credit, which she has un-frozen at certain intervals to resume her business activities. As a result
`
`of the data breach, Plaintiff Garcia Nater has spent significant time reviewing and monitoring her
`
`financial accounts and credit. To date, Plaintiff Garcia Nater spent approximately 280 hours
`
`resolving these issues. Given the highly-sensitive nature of the information stolen, and its
`
`subsequent dissemination to unauthorized parties, Plaintiff Garcia Nater has already suffered
`
`injury and remains at a substantial and imminent risk of future harm.
`
`22.
`
`Plaintiff Andrew Luna is a resident of the State of Florida and is a former
`
`customer of T-Mobile. Plaintiff Luna was notified by T-Mobile that his PII was compromised in
`
`the T-Mobile Data Breach. Plaintiff Luna was also notified by a third-party monitoring company
`
`that his PII was located on the dark web as a result of the T-Mobile Data Breach. As a result of
`
`the breach, Plaintiff Luna has suffered identity theft in the form of an unauthorized Apple
`
`account opened using his PII, unauthorized loans applied for in his name, creditors contacting
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 11 of 338
`
`9
`
`
`
`him about loans which he never opened nor applied, an increased volume of spam phone calls
`
`and text messages, as well as spoof emails with information about unauthorized loans and
`
`accounts bearing the logo of legitimate companies. Also, as result of this identity theft, Plaintiff
`
`Luna spent a significant amount of time monitoring personal accounts for fraudulent activity. In
`
`addition, as a result of the breach, Plaintiff Luna spent time and effort researching the breach and
`
`monitoring his personal credit and financial accounts for fraudulent activity. As a result, Plaintiff
`
`Luna froze his credit accounts with the major bureaus and spent time on the phone with the
`
`Social Security Administration. As a result of the breach, Plaintiff Luna purchased identity theft
`
`protection and fraud monitoring services with IdentityGuard, at a cost of approximately $300
`
`annually. Plaintiff Luna will need to continue paying for this service indefinitely to monitor his
`
`accounts and mitigate against harm. Given the highly-sensitive nature of the information stolen,
`
`and its subsequent dissemination to unauthorized parties, Plaintiff Luna has already suffered
`
`injury and remains at a substantial and imminent risk of future harm.
`
`GEORGIA
`
`23.
`
`Plaintiff Amber Wilhite is a resident of the State of Georgia and is a former
`
`customer of T-Mobile. As a former customer of T-Mobile, Plaintiff Wilhite believes her PII was
`
`compromised in the T-Mobile Data Breach. As a result of the breach, Plaintiff Wilhite has
`
`suffered identity theft and fraud in the form of a SIM swap on her phone, theft of more than
`
`$18,000 from her Coinbase accounts, and attempted logins to her Venmo account. As a result of
`
`this identity theft and fraud, Plaintiff Wilhite not only lost a significant sum of money without
`
`recovery, but spent time and money researching the breach, attempting to recover access to her
`
`phone and accounts, and filing a police report. Prior to the breach, Plaintiff Wilhite purchased
`
`Experian credit monitoring services from Experian at a cost of $10 per month. As a result of the
`
`breach, Plaintiff Wilhite will need to continue paying for the service indefinitely in order to
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 12 of 338
`
`10
`
`
`
`mitigate against harm. In addition, as a result of the breach, Plaintiff Wilhite spent time and
`
`effort researching the breach and monitoring her accounts for fraudulent activity. Given the
`
`highly-sensitive nature of the information stolen, and its subsequent dissemination to
`
`unauthorized parties, Plaintiff Wilhite has already suffered injury and remains at a substantial
`
`and imminent risk of future harm.
`
`24.
`
`Plaintiff Victoria Purnell is a resident of the State of Georgia and is a current
`
`customer of T-Mobile. As a current customer of T-Mobile, Plaintiff Purnell believes her PII was
`
`compromised in the T-Mobile Data Breach. As a result of the breach, Plaintiff Purnell has
`
`suffered identity theft in the form of unauthorized Wells Fargo bank accounts opened in her
`
`name and an unauthorized application for unemployment filed in her name. As a result of this
`
`identity theft, Plaintiff Purnell spent time calling Wells Fargo and the Georgia State
`
`unemployment office. Prior to the breach, Plaintiff Purnell purchased credit monitoring services
`
`from Experian at a cost of approximately $22 per month. As a result of the breach, Plaintiff
`
`Purnell will need to continue paying for the service indefinitely in order to mitigate against harm.
`
`Given the highly-sensitive nature of the information stolen, and its subsequent dissemination to
`
`unauthorized parties, Plaintiff Purnell has already suffered injury and remains at a substantial and
`
`imminent risk of future harm.
`
`25.
`
`Plaintiff Emerson Davis is a resident of the State of Georgia and is a former
`
`customer of T-Mobile. Plaintiff Davis was notified by a third-party monitoring company that his
`
`PII was located on the dark web after the T-Mobile Data Breach. As a result of the breach,
`
`Plaintiff Davis suffered identity theft in the form of an unauthorized bank account with USAA
`
`opened in his name. Plaintiff Davis also received several phone calls from T-Mobile requesting
`
`him to confirm that his cell phone number could be transferred to another individual, a transfer
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 13 of 338
`
`11
`
`
`
`he did not initiate or authorize. As a result of this identity theft, Plaintiff Davis spent time on the
`
`phone with USAA, his own bank, and T-Mobile. In addition, as a result of the breach, Plaintiff
`
`Davis spent time and effort researching the breach and monitoring his accounts for fraudulent
`
`activity. Given the highly-sensitive nature of the information stolen, and its subsequent
`
`dissemination to unauthorized parties, Plaintiff Davis has already suffered injury and remains at
`
`a substantial and imminent risk of future harm.
`
`HAWAII
`
`26.
`
`Plaintiff Daniel Kanaan is a resident of the State of Hawaii and is a current
`
`customer of T-Mobile. Plaintiff Kanaan was notified by a third-party monitoring company that
`
`his PII was located on the dark web as a result of the T-Mobile Data Breach. Prior to the breach,
`
`Plaintiff Kanaan purchased a credit monitoring service which was bundled with tax services at an
`
`annual cost. As a result of the breach, Plaintiff Taylor will need to continue paying for credit
`
`monitoring service indefinitely in order to mitigate against harm. In addition, as a result of the
`
`breach, Plaintiff Kanaan spent time and effort researching the breach and monitoring his
`
`accounts for fraudulent activity. Given the highly-sensitive nature of the information stolen, and
`
`its subsequent dissemination to unauthorized parties, Plaintiff Kanaan has already suffered injury
`
`and remains at a substantial and imminent risk of future harm.
`
`ILLINOIS
`
`27.
`
`Plaintiff Neil Daly is a resident of the State of Illinois and is a current customer of
`
`T-Mobile. Plaintiff Daly was notified by T-Mobile that his PII was compromised in the T-
`
`Mobile Data Breach. As a result of the breach, Plaintiff Daly has suffered identity theft and fraud
`
`in the form of an unauthorized SIM swap fraud and unauthorized access to his PII, Apple
`
`account, and iCloud account—which were used to drain all the funds in he and his wife’s shared
`
`bank account through a series of unauthorized charges linking back to Plaintiff Daly’s iCloud
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 14 of 338
`
`12
`
`
`
`account. As a result of the identity theft and fraud, Plaintiff Daly and his wife could not access
`
`funds in their bank account for nearly two weeks while they initiated an investigation with their
`
`bank over the unauthorized charges. Plaintiff Daly also suffered harm in the form of a sudden,
`
`unprecedented influx of inbound spam text and email messages, by the hundreds, imposing
`
`significant and ongoing burden on Plaintiff Daly who relies on his device and email to perform
`
`his job duties. In addition, as a result of the breach, Plaintiff Daly and his wife spent time and
`
`effort addressing the fraudulent activity, researching the breach, freezing their credit, and
`
`monitoring their accounts for fraudulent activity. Given the highly-sensitive nature of the
`
`information stolen, and its subsequent dissemination to unauthorized parties, Plaintiff Daly has
`
`already suffered injury and remains at a substantial and imminent risk of future harm.
`
`28.
`
`Plaintiff Roxanne Salahuddin is a resident of the State of Illinois and is a current
`
`customer of T-Mobile. Plaintiff Salahuddin was notified by T-Mobile that her PII was
`
`compromised in the T-Mobile Data Breach. Plaintiff Salahuddin was also notified by Norton
`
`Life Lock that her PII was located on the dark web as a result of the T-Mobile Data Breach. As a
`
`result of the breach, Plaintiff Salahuddin has suffered identity theft and fraud when someone
`
`gained unauthorized access to her phone and used her accounts to make unauthorized purchases,
`
`including through her PayPal account. As a result of this identity theft and fraud, Plaintiff
`
`Salahuddin spent time on the phone with PayPal and the listed merchant to resolve the issue and
`
`spent time and effort freezing her credit and monitoring her credit card accounts. Plaintiff
`
`Salahuddin also filed a police report and purchased identity theft protection/credit monitoring
`
`services from Norton Lifelock. As a further result of the breach, Plaintiff Salahuddin suffered
`
`unauthorized solicitations and experienced a significant increase in suspicious phishing scam
`
`phone calls, text messages, and emails following the breach. In addition, as a result of the breach,
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 15 of 338
`
`13
`
`
`
`Plaintiff Salahuddin spent time and effort researching the breach and monitoring her accounts for
`
`fraudulent activity. Given the highly-sensitive nature of the information stolen, and its
`
`subsequent dissemination to unauthorized parties, Plaintiff Salahuddin has already suffered
`
`injury and remains at a substantial and imminent risk of future harm.
`
`INDIANA
`
`29.
`
`Plaintiff Shirley Howard is a resident of the State of Indiana and is a current
`
`customer of T-Mobile. Plaintiff Howard was notified by a third-party monitoring company that
`
`her PII was located on the dark web as a result of the T-Mobile Data Breach. As a result of the
`
`breach, Plaintiff Howard has suffered identity theft and fraud in the form of an unauthorized
`
`bank account applied for in her name. As a result of this identity theft and fraud, Plaintiff
`
`Howard spent time calling the bank and the credit bureaus attempting to remedy the situation,
`
`and her credit score was negatively impacted. In addition, as a result of the breach, Plaintiff
`
`Howard spent time and effort researching the breach and monitoring her accounts for fraudulent
`
`activity. Given the highly-sensitive nature of the information stolen, and its subsequent
`
`dissemination to unauthorized parties, Plaintiff Howard has already suffered injury and remains
`
`at a substantial and imminent risk of future harm.
`
`30.
`
`Plaintiff LaTasha Harris is a resident of the State of Indiana and is a former
`
`customer of T-Mobile. Plaintiff Harris was notified by a third-party monitoring company that her
`
`PII was located on the dark web as a result of the T-Mobile Data Breach. As a result of the
`
`breach, Plaintiff Harris has suffered identity theft in the form of an unauthorized unemployment
`
`claim filed in her name. As a result of this identity theft, Plaintiff Harris spent time working with
`
`her employer, the unemployment office, the Social Security Administration, the Indiana Attorney
`
`General’s Office, and the Indiana State Police to deal with the identity theft. In addition, as a
`
`result of the breach, Plaintiff Harris spent time and effort researching the breach and monitoring
`
`
`
`Case 4:21-md-03019-BCW Document 128 Filed 05/11/22 Page 16 of 338
`
`14
`
`
`
`her accounts for fraudulent activity. Given the highly-sensitive nature of the information stolen,
`
`and its subsequent dissemination to unauthorized parties, Plaintiff Harris has already suffered
`
`injury and remains at a substantial and imminent risk of future harm.
`
`IOWA
`
`31.
`
`Plaintiff Jonathan Davis is a resident of the State of Iowa and is a current
`
`customer of T-Mobile. Plaintiff Davis was notified by a third-