`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 1 of 38
`
`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`WESTERN DISTRICT OF WASHINGTON
`SEATTLE DIVISION
`
`
`Case No.:
`
`CLASS ACTION COMPLAINT FOR:
`
`(1) Violation of the California Consumer
`Privacy Act § 1798.150
`(2) Negligence
`(3) Negligence Per Se
`(4) Unjust Enrichment
`(5) Breach of Implied Contract
`(6) Breach of Confidence
`(7) Declaratory and Injunctive Relief
`
`DEMAND FOR JURY TRIAL
`
`
`VEERA DARUWALLA, MICHAEL
`MARCH, and LAVICIEIA STURDIVANT,
`individually and on behalf of classes of
`similarly situated individuals,
`
`
`
`
`T-MOBILE USA, INC.
`
`
`
`
`v.
`
`
`
`
`
`Plaintiffs,
`
`Defendant.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 1
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 2 of 38
`
`
`
`Plaintiffs Veera Daruwalla, Michael March, and Lavicieia Sturdivant (“Plaintiffs”),
`
`individually and on behalf of classes of similarly situated individuals (defined below), bring
`
`this action against Defendant T-Mobile USA, Inc. (“T-Mobile” or “Defendant”). Plaintiffs
`
`make the following allegations based upon personal knowledge as to their own actions and
`
`upon information and belief as to all other matters and believe that reasonable discovery will
`
`provide additional evidentiary support for the allegations herein.
`
`I.
`
`NATURE OF THE CASE
`
`1.
`
`“Not all data breaches are created equal. None of them are good, but they do
`
`come in varying degrees of bad. And given how regularly they happen, it’s understandable that
`
`you may have become inured to the news. Still, a T-Mobile breach that hackers claim involved
`
`the data of 100 million people deserves your attention….” WIRED Magazine, The T-Mobile
`
`Data Breach is One You Can’t Ignore, August 16, 2021.
`
`2.
`
`On the same day that article was printed, T-Mobile confirmed that hackers using
`
`the Twitter handle @und0xxed had in fact gained unauthorized access to T-Mobile data
`
`through T-Mobile servers (the “Data Breach”).
`
`3.
`
`According to the hackers, the stolen personal identifying information (“PII”)
`
`includes customers’ names, addresses, social security numbers, drivers license information,
`
`phone numbers, dates of birth, security PINs, phone numbers, and, for some customers, unique
`
`IMSI and IMEI numbers (embedded in customer mobile devices that identify the device and
`
`the SIM card that ties that customer’s device to a telephone number)—all going back as far as
`
`the mid 1990s. The hackers also claim to have a database that includes credit card numbers
`
`with six digits of the cards obfuscated.
`
`4.
`
`As the WIRED article points out: “[T]he apparent T-Mobile breach offers
`
`potential buyers a blend of data that could be used to great effect.” “[H]aving [this PII]
`
`centralized streamlines the [identity theft] process for criminals…” And while it may be true
`
`CLASS ACTION COMPLAINT - 2
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 3 of 38
`
`
`that “names and phone numbers are relatively easy to find … a database that ties those two
`
`together, along with identifying someone’s carrier and fixed address, makes it much easier to
`
`convince someone to click on a link that advertises, say, a special offer or upgrade for T-
`
`Mobile customers. And to do so en masse.”
`
`5.
`
`Furthermore, “[b]ecause each IMEI number is tied to a specific customer’s
`
`phone, knowing it could help in a so-called SIM-swap attack” which “could lead to account
`
`takeover concerns…since threat actors could gain access to two-factor authentication or one-
`
`time passwords tied to other accounts—such as email, banking, or any other account
`
`employing advanced authentication security feature—using a victim’s phone number.” In fact,
`
`a previous T-Mobile data breach disclosed in February of this year—one of many it has
`
`suffered in the last few years—was used specifically to execute a SIM-swap attack.1
`
`6.
`
`According to the hackers, the Data Breach reportedly affects more than 100
`
`million individuals, meaning that all or nearly all T-Mobile customers may have been
`
`impacted.2 As of August 18, T-Mobile has conceded that its “preliminary investigation”
`
`indicates that at least 7.8 million current T-Mobile postpaid customer accounts were in the
`
`stolen files, as well as over 40 million records of former or prospective customers who had
`
`previously applied for credit with T-Mobile, 850,000 active prepaid customers, and some
`
`additional information from inactive prepaid accounts access through prepaid billing files. The
`
`investigation appears ongoing and therefore may reveal additional affected accounts.
`
`
`
`
`1 See, e.g., Gatlan, Sergio, T-Mobile discloses data breach after SIM swapping attacks,
`Bleeping Computer, Feb. 26, 2021, available at
`https://www.bleepingcomputer.com/news/security/t-mobile-discloses-data-breach-after-sim-
`swapping-attacks/.
`2 T-Mobile US Inc. (2020). Form 10-K 2020 at 5. Retrieved from
`https://www.sec.gov/ix?doc=/Archives/edgar/data/0001283699/000128369921000039/tmus-
`20201231.htm.
`CLASS ACTION COMPLAINT - 3
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 4 of 38
`
`
`
`7.
`
`But while T-Mobile has confirmed that a breach occurred, it has yet to provide
`
`any notice or instruction to its customers, other than that “communications will be issued
`
`shortly” recommending that all T-Mobile postpaid customers proactively change their PIN and
`
`take advantage of Account Takeover Protection capabilities. Unfortunately, it is too late:
`
`according to the hackers, they have already sold a first batch containing hundreds of thousands
`
`of records and are shopping the bulk of the stolen PII directly to buyers.
`
`8.
`
`As the target of many data breaches in the past, T-Mobile knew its systems were
`
`vulnerable to attack. Yet it failed to implement and maintain reasonable security procedures
`
`and practices appropriate to the nature of the information to protect its customers’ personal
`
`information, yet again putting millions of customers at great risk of scams and identity theft.
`
`Its customers expected and deserved better from the second largest wireless provider in the
`
`country.
`
`9.
`
`The customer PII disclosed in the Data Breach is protected by the California
`
`Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 (“CCPA”), which gives rise to a
`
`cause of action when insufficient security results in a breach. Specifically, the CCPA gives
`
`rise to a claim where, as here, an individual’s name in combination with a social security
`
`number or driver’s license number are exfiltrated without authorization (among other things).3
`
`10.
`
`In a private right of action, the CCPA also provides for statutory damages of
`
`between $100 and $750 per customer per violation or actual damages, whichever is greater.
`
`The appropriate amount of statutory damages is determined through examination of a number
`
`of factors, including the size of Defendant’s assets and whether the Defendant has a record of
`
`weak data security.
`
`
`3 In other sections of the CCPA, “personal information” is defined more broadly as
`“information that identifies, relates to, describes, is reasonably capable of being associated with,
`or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
`CLASS ACTION COMPLAINT - 4
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 5 of 38
`
`
`
`11.
`
`Finally, the CCPA provides that “[a]ny provision of a contract or agreement of
`
`any kind that purports to waive or limit in any way a consumer’s rights under this title,
`
`including, but not limited to, any right to a remedy or means of enforcement, shall be deemed
`
`contrary to public policy and shall be void and unenforceable.”
`
`12.
`
`Plaintiffs now seek compensation under the CCPA and principles of common
`
`law negligence, unjust enrichment, breach of implied contract, and breach of confidence, for
`
`their damages and those of fellow class members. Plaintiffs also seek injunctive relief to
`
`ensure that T-Mobile cannot continue to put its customers at risk.
`
`II.
`
`JURISDICTION AND VENUE
`
`13.
`
`This Court has jurisdiction over this action under the Class Action Fairness Act
`
`(“CAFA”), 28 U.S.C. § 1332(d), because the aggregate amount in controversy exceeds
`
`$5,000,000, exclusive of interests and costs, there are more than 100 class members, and one or
`
`more members of the classes are residents of a different state than the Defendant. The Court
`
`also has supplemental jurisdiction over the state law claims under 28 U.S.C. § 1367.
`
`14.
`
`This Court has personal jurisdiction over Defendant because it is headquartered
`
`in this District.
`
`15.
`
`Venue is proper in this District pursuant to 28 U.S.C. §§ 1391(b) and (c) and 15
`
`U.S.C. §§ and 22, as Defendant resides, transacts business, committed an illegal or tortious act,
`
`has an agent, and/or can be found in this District.
`
`III.
`
`PARTIES
`
`16.
`
`Plaintiff Veera Daruwalla is a resident of Kern County, California. As a current
`
`T-Mobile customer since at least 2018, Ms. Daruwalla believes her PII was accessed without
`
`authorization, exfiltrated, and/or stolen in the Data Breach.
`
`17.
`
`Plaintiff Michael March is a resident of Chalmette, Louisiana and was a T-
`
`Mobile customer for approximately eight years before canceling his services due to privacy
`
`CLASS ACTION COMPLAINT - 5
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 6 of 38
`
`
`concerns. As a former T-Mobile customer, Mr. March believes his PII was accessed without
`
`authorization, exfiltrated, and/or stolen in the Data Breach.
`
`18.
`
`Plaintiff Lavicieia Sturdivant is a resident of Evanston, Illinois and has been a
`
`T-Mobile customer for approximately 18 years. On August 19, 2021, Ms. Sturdivant received a
`
`text message from T-Mobile notifying her that her PII was accessed without authorization,
`
`exfiltrated, and/or stolen in the Data Breach.
`
`19.
`
`Defendant, T-Mobile USA, Inc., is a Delaware corporation headquartered in this
`
`district, at 12920 Southeast 38th Street, Bellevue, WA 98006. Defendant is a publicly traded
`
`company organized and operated for the profit and financial benefit of its shareholders. As of
`
`January 1, 2021, Defendant had annual gross revenues of well over $60 billion. Defendant
`
`collects and maintains the personal information of millions of U.S. and California consumers.
`
`20.
`
`Defendant’s unlawful conduct was authorized, ordered, or performed by its
`
`directors, officers, managers, agents, employees, or representatives in the course of their
`
`employment and while actively engaged in the management of Defendant’s affairs. Defendant,
`
`through its subsidiaries, divisions, affiliates and agents, operated as a single unified entity with
`
`each acting as the alter ego, agent or joint-venturer of or for the other with respect to the acts,
`
`violations, and common course of conduct alleged herein and under the authority and apparent
`
`authority of parent entities, principals and controlling parties.
`
`IV.
`
`FACTS
`
`The Data Breach
`
`21.
`
`As outlined above, T-Mobile has admitted it was the subject of a yet another
`
`massive data breach that affected millions of its customers. The customer PII the hackers have
`
`sold and continue to market for sale is believed to include: customers’ names, addresses, social
`
`security numbers, drivers license information, phone numbers, dates of birth, security PINs,
`
`phone numbers, and, for some customers, unique IMSI and IMEI numbers (embedded in
`
`CLASS ACTION COMPLAINT - 6
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 7 of 38
`
`
`customer mobile devices that identify the device and the SIM card that ties that customer’s
`
`device to a telephone number)—all going back as far as the mid 1990s.
`
`22.
`
`According to the hackers, they were able to access the PII through an opening in
`
`T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data
`
`centers. From there, they were able to access several customer databases totaling more than
`
`100 gigabytes.
`
`23. Motherboard, the tech news division of Vice, has reported that it reviewed
`
`samples of the data and confirmed it contained accurate information about T-Mobile
`
`customers. The hackers also offered to verify that they possessed the customers’ PII, stating:
`
`“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile
`
`number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently
`
`attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid
`
`and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are
`
`unaffected.”
`
`24.
`
`As a result of the Data Breach and because the stolen data is being active
`
`marketed for sale, numerous entities are suggesting that affected consumers take steps to
`
`protect their identities.
`
`25.
`
`The Washington Post reported that affected individuals should: 1) Change your
`
`password and PIN; 2) freeze your credit; 3) rethink two-factor authentication; and 4) keep
`
`monitoring the situation.4
`
`
`4 Velazco, Chris, Here’s what to do if you think you’re affected by T-Mobile’s big data
`breach, Washington Post, August 19, 2021, available at
`https://www.washingtonpost.com/technology/2021/08/19/t-mobile-data-breach-what-to-do/
`
`CLASS ACTION COMPLAINT - 7
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 8 of 38
`
`
`T-Mobile Has Failed to Secure its Sensitive Data Numerous Times Over the Last Decade
`
`26.
`
`T-Mobile is no stranger to data breaches. Rather, data breaches have been a
`
`nearly annual event for the company for many years.
`
`27. The Washington Post reported that “[u]nfortunately, dealing with data breaches
`
`is nothing new for the company — or its customers. For those keeping count, this is the fifth
`
`such incident the wireless carrier has suffered in the past three years, but according to Allie
`
`Mellen, a security and risk analyst at Forrester Research, this is ‘the worst breach they’ve had
`
`so far.’”5
`
`28.
`
`In March 2020, T-Mobile disclosed it was subject to a data breach that exposed
`
`customer and employee PII, including names, addresses, social security numbers, financial
`
`account information, government identification numbers, phone numbers and billing account
`
`information.6 Later in 2020, T-Mobile suffered another data breach in which hackers accessed
`
`customer proprietary network information (CPNI) and undisclosed call-related information for
`
`hundreds of thousands of customers.7
`
`
`
`5 Id.
`6 T-Mobile Breach Leads To The Exposure Of Employee Email Accounts And User
`Data, Identity Theft Resource Center, Mar. 2020, available at https://www.idtheftcenter.org/t-
`mobile-breach-leads-to-the-exposure-of-employee-email-accounts-and-user-
`data/#:~:text=On%20Thursday%2C%20March%204%2C%202020%2C%20T-
`Mobile%20disclosed%20a,separate%20data%20breach%20notification%20letters%20on%20th
`eir%20website.
`7 Second Data Breach in 2020 for T-Mobile Exposed Customer and Call-Related
`Information of 200,000 Subscribers, CPO Magazine, Jan. 11, 2021, available at
`https://www.cpomagazine.com/cyber-security/second-data-breach-in-2020-for-t-mobile-
`exposed-customer-and-call-related-information-of-200000-subscribers/#:~:text=T-
`Mobile%20suffered%20a%20data%20breach%20in%20which%20hackers,the%20fourth%20to
`%20hit%20the%20company%20since%202018.
`CLASS ACTION COMPLAINT - 8
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 9 of 38
`
`
`
`29.
`
`In November 2019, hackers accessed PII for roughly 1 million T-Mobile
`
`prepaid customers.8 The PII in that breach included names, phone numbers, addresses, account
`
`information, and rate, plan and calling features (i.e., paying for international calls).9
`
`30.
`
`In 2018, hackers gained access to T-Mobile servers and stole PII of roughly two
`
`million T-Mobile customers.10 The stolen PII included names, email addresses, account
`
`numbers, other billing information, and encrypted passwords.11 T-Mobile misleadingly
`
`downplayed the hack, claiming that no passwords were “compromised.”12 In truth, the hackers
`
`stole millions of encrypted passwords that were likely cracked due to the weak encoding
`
`algorithm employed by T-Mobile, leading one security expert to advise affected customers to
`
`assume their passwords were cracked and change them as a result.13
`
`31.
`
`In 2017, Karan Saini, a security researcher, found a bug on a T-Mobile website
`
`that allowed hackers to access PII like email addresses, account numbers, and IMSI numbers,
`
`just by knowing or guessing a customer’s phone number.14 According to Saini, “T-Mobile has
`
`76 million customers, and an attacker could have ran a script to scrape the data (email, name,
`
`billing account number, IMSI number, other numbers under the same account which are
`
`
`8 Coldeway, Devin, More than 1 million T-Mobile customers exposed by breach,
`TechCrunch, Nov. 22, 2019, available at https://techcrunch.com/2019/11/22/more-than-1-
`million-t-mobile-customers-exposed-by-breach/#:~:text=More%20than%201%20million%20T-
`Mobile%20customers%20exposed%20by,password%20data%29%20was%20exposed%20to%2
`0a%20malicious%20actor.
`9 Id.
`10 Franceschi-Bicchierai, Lorenzo, Hackers Stole Personal Data of 2 Million T-Mobile
`Customers, Motherboard Tech, Aug, 23, 2018, available at
`https://www.vice.com/en/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data.
`11 Id.
`12 Id.
`13 Id.
`14 Franceschi-Bicchierai, Lorenzo, T-Mobile Website Allowed Hackers to Access Your
`Account Data With Just Your Phone Number, Motherboard Tech, Oct. 10, 2017, available at
`https://www.vice.com/en/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-
`account-data-with-just-your-phone-number.
`CLASS ACTION COMPLAINT - 9
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 10 of 38
`
`
`usually family members) from all 76 million of these customers to create a searchable database
`
`with accurate and up-to-date information of all users.”15 Saini explained “[t]hat would
`
`effectively be classified as a very critical data breach, making every T-Mobile cell phone
`
`owner a victim.”16 T-Mobile had no mechanism in place to prevent this type of critical data
`
`breach, according to Saini.17 According to a hacker, the bug had been exploited by multiple
`
`hackers over a multi-week period before it was discovered by Saini.18 In fact, the hackers who
`
`found the bug before Saini went so far as to upload a tutorial on how to exploit it on
`
`YouTube.19
`
`32.
`
`And in 2015, T-Mobile customers’ PII was accessed and exfiltrated in
`
`conjunction with the Experian data breach. According to T-Mobile at the time, the company
`
`was notified by Experian, a vendor that processes their credit applications, that they had
`
`experienced a data breach. The hacker acquired the records of approximately 15 million
`
`people, including new applicants requiring a credit check for service or device financing. The
`
`records stolen included information such as name, address and birthdate as well as encrypted
`
`fields with Social Security number and ID number (such as driver’s license or passport
`
`number), and additional information used in T-Mobile’s own credit assessment. Experian
`
`determined that encryption may have been compromised.20
`
`
`
`
`
`
`
`15 Id.
`16 Id.
`17 Id.
`18 Id.
`19 Id.
`20 A Letter from CEO John Legere on Experian Data Breach, Sept. 30, 2015, available at
`https://www.t-mobile.com/news/blog/experian-data-breach
`CLASS ACTION COMPLAINT - 10
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 11 of 38
`
`
`Defendant’s Relevant Privacy Policies
`
`33.
`
`T-Mobile’s Privacy Policy is available on its website and provides customers
`
`with terms and conditions regarding the treatment of their PII, including how T-Mobile uses
`
`customers’ data for its own benefit and profit.
`
`34.
`
`For example, it states T-Mobile uses customers’ personal data to “[a]dvertise
`
`and market products and services from T-Mobile and other companies to you, including
`
`through targeted advertising and communications about promotions and events, contents, and
`
`sweepstakes”; and “[c]onduct research and create reports from analysis of things like usage
`
`patterns and trends and deidentify or aggregate personal data to create business and market
`
`analysis and reports.”
`
`35.
`
`The policy, dated May 5, 2021, also states: “[S]tarting on April 26, 2021, T-
`
`Mobile began “using some data we have about you, including information we learn from your
`
`web and device usage data (like the apps installed on your device) and interactions with our
`
`products and services, for our own and 3rd party advertising, unless you tell us not to.”
`
`36.
`
`According to the policy’s California privacy rights section, included for
`
`purposes of complying with the CCPA, in the past 12 months T-Mobile has sold to third parties
`
`“shared device identifiers and internet and electronic network activity to facilitate online
`
`advertising. This means that a unique, resettable number that identifies your device was linked
`
`to online activity and shared with others who use that data for advertising and analytics
`
`purposes (like advertising networks, data analytics providers, and social media platforms).”
`
`37.
`
`Based on the customer PII T-Mobile collects and sells, T-Mobile states that its
`
`customers “see T-Mobile and other advertisements on your devices - whether you are
`
`connected to our network or not. These ads may be targeted to your device based on
`
`information that we, the advertiser, and other third parties have about your behavior or
`
`interests ….”
`
`CLASS ACTION COMPLAINT - 11
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 12 of 38
`
`
`
`38.
`
`T-Mobile also “works with third parties, including advertising networks, which
`
`collect information about you through devices, websites, and apps, serve ads for us and others,
`
`and measure their effectiveness. … For example, third parties like Google Ad Manager and
`
`Nielsen may use technology to collect data to deliver, personalize, and measure ads for some of
`
`our Products and Services. This technology allows tracking of device activity over time across
`
`online properties.”
`
`39.
`
`In addition, T-Mobile partners “with analytic service providers like Google
`
`Analytics to help track your use of our products and services.” “If your mobile device is turned
`
`on, our network is collecting data about where it is. We may use, provide access to, or disclose
`
`this network location data without your permission to provide and support our services.”
`
`40.
`
`After listing all of these ways T-Mobile benefits and profits from tracking and
`
`targeting its customers through collecting and maintaining their invaluable PII, T-Mobile’s
`
`Privacy Policy goes on to ensure its customers that their PII is secure, stating that (i) personal
`
`data will be disclosed only “with your consent, which we may get in writing, online, or orally,”
`
`and (ii) T-Mobile uses “administrative, technical, contractual, and physical safeguards
`
`designed to protect your data while it is under our control.” Yet again, those safeguards have
`
`failed.
`
`Plaintiff Veera Daruwalla
`
`41.
`
`Plaintiff Veera Daruwalla has been a customer of T-Mobile from approximately
`
`2018 through the present, and is a resident of Bakersfield, California.
`
`42.
`
`On approximately August 17, 2021, Ms. Daruwalla became aware that that T-
`
`Mobile had suffered a massive data breach and customer PII was being sold by hackers. Since
`
`then, she has spent hours addressing the resulting privacy concerns, including researching the
`
`nature of the breach, and reviewing his financial and credit account statements for evidence of
`
`unauthorized activity, which she will continue to do for years into the future.
`
`CLASS ACTION COMPLAINT - 12
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 13 of 38
`
`
`Plaintiff Michael March
`
`43.
`
`Plaintiff Michael March is a former T-Mobile customer who resides in
`
`Chalmette, Louisiana.
`
`44. Mr. March was a customer of T-Mobile from approximately 2013 through early
`
`August 2021.
`
`45.
`
`On approximately August 8, 2021, Mr. March visited a T-Mobile store located
`
`at 8700 W. Judge Perez Drive in Chalmette, Louisiana to raise concerns about privacy issues
`
`he had been experiencing with his T-Mobile account. Specifically, Mr. March believed that
`
`someone gained access to his T-Mobile account without authorization. The T-Mobile
`
`representative working at the store was dismissive of Mr. March’s concerns.
`
`46.
`
`On approximately August 10, 2021, Mr. March visited the same T-Mobile store
`
`to cancel his account due to the privacy concerns he raised with T-Mobile two days prior. The
`
`following week, Mr. March learned through news reports that T-Mobile had suffered a massive
`
`data breach and customer data was being sold on underground websites.
`
`47. Mr. March has spent numerous hours communicating with T-Mobile
`
`representatives about his privacy concerns, canceling his T-Mobile service and switching to a
`
`different cellular service provider, researching the nature of the breach, and reviewing his
`
`financial and credit account statements for evidence of unauthorized activity, which he will
`
`continue to do for years into the future.
`
`Plaintiff Lavicieia Sturdivant
`
`48.
`
`Plaintiff Lavicieia Sturdivant is a current T-Mobile customer who resides in
`
`Evanston, Illinois.
`
`49. Ms. Sturdivant has been a customer of T-Mobile for approximately 18 years.
`
`50.
`
`On August 19, 2021, received a text message from T-Mobile informing her that
`
`her PII was compromised in the Data Breach. Specifically, the text message stated that “T-
`
`CLASS ACTION COMPLAINT - 13
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 14 of 38
`
`
`Mobile has determined that unauthorized access to some of your personal data has occurred. We
`
`have no evidence that debit/credit card information was compromised. We take the protection
`
`our customers seriously. We are taking actions to protect your T-Mobile account and we
`
`recommend that you take action to protect your credit. Read more here: t-mo.co/Protect”.
`
`51.
`
`Receiving this message caused Ms. Sturdivant immediate distress as she is in the
`
`process of closing on a home and justifiably concerned that she could be the victim of identity
`
`theft or fraud. T-Mobile’s message also created more questions than it answered. It did not
`
`explain the nature of the attack, the identity of the hackers, what information was compromised
`
`for Ms. Sturdivant, or the fact that the information had already been released and listed for sale
`
`on the dark web. T-Mobile’s decision to withhold these key facts is significant because affected
`
`individuals may take different precautions depending on the severity and imminence of the
`
`perceived risk. By failing to provide these material facts, T-Mobile prevented victims from
`
`taking meaningful, proactive, and targeted mitigation measures that could help protect them from
`
`years of harm.
`
`52.
`
`As a result of the data breach and T-Mobile’s deficient notice, Ms. Sturdivant has
`
`spent time and effort conducting her own research into the breach and reviewing her financial
`
`and credit account statements for evidence of unauthorized activity, which she will continue to
`
`do for years into the future. Ms. Sturdivant has also suffered emotional distress knowing that her
`
`information is now available for sale and can be used to commit blackmail, extortion, identity
`
`theft or fraud, and any number of additional harms against her for the rest of her life.
`
`FTC Security Guidelines Concerning PII
`
`53.
`
`The Federal Trade Commission (“FTC”) has established security guidelines and
`
`recommendations to help entities protect PII and reduce the likelihood of data breaches.
`
`54.
`
`Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits “unfair . . . practices in or
`
`affecting commerce,” including, as interpreted by the FTC, failing to use reasonable measures
`
`CLASS ACTION COMPLAINT - 14
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`
`
`
`
`
`
`Case 2:21-cv-01118 Document 1 Filed 08/19/21 Page 15 of 38
`
`
`to protect PII by companies like Defendant. Several publications by the FTC outline the
`
`importance of implementing reasonable security systems to protect data. The FTC has made
`
`clear that protecting sensitive customer data should factor into virtually all business decisions.
`
`55.
`
`In 2016, the FTC provided updated security guidelines in a publication titled
`
`Protecting Personal Information: A Guide for Business. Under these guidelines, companies
`
`should protect consumer information they keep; limit the sensitive consumer information they
`
`keep; encrypt sensitive information sent to third parties or stored on computer networks;
`
`identify and understand network vulnerabilities; regularly run up-to-date anti-malware
`
`programs; and pay particular attention to the security of web applications – the software used
`
`to inform visitors to a company’s website and to retrieve information from the visitors.
`
`