`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`UNITED STATES DISTRICT COURT
`WESTERN DISTRICT OF WASHINGTON
`
`STEPHANIE ESPANOZA, JONATHAN MORALES
`
`and ALEX PYGIN, individually and on behalf of
`all others similarly situated,
`Case No.
`CLASS ACTION COMPLAINT
`Plaintiffs,
`
`JURY TRIAL DEMANDED
`
`v.
`T‐MOBILE USA, INC.,
`
`Defendant.
`
`
`
`Plaintiffs Stephanie Espanoza, Jonathan Morales and Alex Pygin (“Plaintiffs”) bring this
`Class Action Complaint against Defendant T‐Mobile USA, Inc. (“T‐Mobile” or “Defendant”) as
`individuals and on behalf of all others similarly situated, and allege, upon personal knowledge
`as to their own actions, their counsel’s investigations, and facts that are a matter of public
`record, and upon information and belief as to all other matters, as follows:
`
`I.
`NATURE OF THE ACTION
`1.
`This class action arises out of the recent cyberattack and data breach that was
`perpetrated against Defendant T‐Mobile, a national telecommunications company that
`provides mobile telephone services to customers throughout the United States (the “Data
`Breach”). The Data Breach resulted in unauthorized access and exfiltration of highly sensitive
`and personal information (the “Private Information”).
`
`CLASS ACTION COMPLAINT ‐ 1
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 2 of 49
`
`
`
`2.
`As a result of the Data Breach, Plaintiffs and approximately 40 million former or
`prospective customers who applied for credit with T‐Mobile, 7.8 million current postpaid
`customers, and 850,000 active prepaid customers (the “Class Members”)1 suffered present
`injury and damages in the form of identity theft, out‐of‐pocket expenses and the value of the
`time reasonably incurred to remedy or mitigate the effects of the unauthorized access,
`exfiltration, and subsequent criminal misuse of their sensitive and highly personal information.
`3.
`The Private Information compromised in the Data Breach includes names, phone
`numbers, drivers’ licenses, government identification numbers, Social Security numbers, dates
`of birth, and T‐Mobile account PINs. 2
`4.
`Plaintiffs bring this class action lawsuit on behalf of those similarly situated to
`address Defendant’s inadequate safeguarding of Class Members’ Private Information that it
`collected and maintained.
`5.
`Defendant maintained the Private Information in a reckless manner. In
`particular, the Private Information was maintained on Defendant’s computer system and
`network in a condition vulnerable to cyberattacks.
`6.
`The mechanism of the cyberattack and potential for improper disclosure of
`Plaintiffs’ and Class Members’ Private Information was a known risk to Defendant, and thus
`Defendant was on notice that failing to take steps necessary to secure the Private Information
`from the risk of a ransomware attack.
`7.
`Plaintiffs’ and Class Members’ identities are now at considerable risk because of
`Defendant’s negligent conduct since the Private Information that T‐Mobile collected and
`maintained is now in the hands of data thieves.
`
`
`1 See T‐Mobile Shares Additional Information Regarding Ongoing Cyberattack Investigation, T‐Mobile (Aug. 17,
`2021), https://www.t‐mobile.com/news/network/additional‐information‐regarding‐2021‐cyberattack‐
`investigation (last visited Aug. 19, 2021).
`
` Id.
`
` 2
`
`CLASS ACTION COMPLAINT ‐ 2
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 3 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`8.
`Armed with the Private Information accessed in the Data Breach, data thieves
`can commit a variety of crimes, including but not limited to fraudulently applying for
`unemployment benefits, opening new financial accounts in Class Members’ names, taking out
`loans in Class Members’ names, using Class Members’ information to obtain government
`benefits (including unemployment or COVID relief benefits), filing fraudulent tax returns using
`Class Members’ information, obtaining driver’s licenses in Class Members’ names but with
`another person’s photograph and providing false information to police during an arrest.
`9.
`Plaintiffs’ and Class Members’ Private Information was compromised due to
`Defendant’s negligent and/or careless acts and omissions and its failure to adequately protect
`the Private Information of its current, former, and prospective clients.
`10.
`As a result of the Data Breach, Plaintiffs and Class Members are exposed to a
`heightened present and imminent risk of fraud and identity theft. As a result of Defendant’s
`actions and inactions, as set forth herein, Plaintiffs and Class Members must now and in the
`future closely monitor their financial accounts and information to guard against identity theft,
`among other issues.
`11.
`Plaintiffs and Class Members have and may in the future incur actual monetary
`costs, including but not limited to the cost of purchasing credit monitoring services, credit
`freezes, credit reports or other protective measures to deter and detect identity theft.
`12.
`Plaintiffs and Class Members have and may in the future expend time spent
`mitigating the effects of the Data Breach, including time spent dealing with actual or attempted
`fraud and identity theft.
`13.
`By their Complaint, Plaintiffs seek to remedy these harms on behalf of
`themselves and all similarly situated individuals whose Private Information was accessed during
`the Data Breach.
`14.
`Accordingly, Plaintiffs bring this action on behalf of all persons whose Private
`Information was compromised as a result of Defendant’s negligence and failure to: (i)
`adequately protect its customer’s Private Information, (ii) warn its current, former, and
`
`CLASS ACTION COMPLAINT ‐ 3
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 4 of 49
`
`
`
`potential customers of their inadequate information security practices, and (iii) effectively
`monitor their data systems for security vulnerabilities and incidents. Defendant’s conduct
`amounts to negligence and violates federal and state statutes.
`15.
`Plaintiffs seek remedies including, but not limited to, compensatory damages,
`reimbursement of out‐of‐pocket costs, and injunctive relief including improvements to
`Defendant’s data security systems, future annual audits, and adequate credit monitoring
`services funded by Defendant.
`
`II.
`PARTIES
`Plaintiff Stephanie Espanoza is a citizen of California residing in Los Angeles,
`
`Plaintiff Jonathan Morales is a citizen of California residing in Sacramento,
`
`16.
`California.
`17.
`California.
`18.
`Plaintiff Alex Pygin is a citizen of California residing in Irvine, California.
`19.
`Defendant T‐Mobile is a for‐profit company incorporated in Delaware with its
`principal place of business in the State of Washington at 12920 SE 38th St, Bellevue,
`Washington 98006.
`
`III.
`JURISDICTION AND VENUE
`20.
`This Court has subject matter jurisdiction over this action under 28 U.S.C. §
`1332(d) because this is a class action wherein the amount in controversy exceeds the sum or
`value of $5,000,000, exclusive of interest and costs, there are more than 100 members in the
`proposed class, and at least one member of the class is a citizen of a state different from
`Defendant.
`21.
`This Court has personal jurisdiction over Defendant because Defendant has its
`principal place of business is located in the State of Washington.
`22.
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391 because a substantial
`part of the events or omissions giving rise to these claims occurred in, were directed to, and/or
`
`CLASS ACTION COMPLAINT ‐ 4
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 5 of 49
`
`
`
`emanated from this District. Defendant resides within this judicial district and a substantial part
`of the events giving rise to the claims alleged herein occurred within this judicial district.
`
`IV.
`
`FACTUAL ALLEGATIONS
`
`A.
`
`Defendant’s Business
`
`23.
`Defendant is a national telecommunications company that provides mobile
`communication services, among other products and services, throughout the United States and
`around the globe.
`24.
`In 2019 alone, T‐Mobile claims to have increased its customer base by 7 million
`and had revenues totaling $45 billion. 3
`25.
`According to Defendant, as of the second quarter of 2021, T‐Mobile had 104.8
`million customers, making it one of the largest telecommunications providers in the United
`States and in the world. 4
`26.
`Upon information and belief, in the ordinary course of doing business,
`Defendant collects sensitive Private Information from customers and potential customers such
`as:
`
`•
`•
`•
`•
`•
`•
`•
`•
`
`Name;
`Address;
`Phone number;
`Driver’s license number;
`Social Security number;
`Financial information;
`Government identification number; and
`Date of birth.
`
`
`3 See Our Story, T‐Mobile, https://www.t‐mobile.com/our‐story (last visited Aug. 19, 2021).
`4 See Investor Factbook, T‐Mobile, https://s24.q4cdn.com/400059132/files/doc_financials/2021/q2/NG_TMUS‐
`06_30_2021‐EX‐99.2.pdf, at p. 6 (last visited Aug. 19, 2021).
`
`CLASS ACTION COMPLAINT ‐ 5
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 6 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`27.
`In the course of collecting Private Information from customers and potential
`customers, including Plaintiffs and Class Members, Defendant promises to provide
`confidentiality and security for customers’ and potential customer’s Private Information,
`including by promulgating and placing privacy policies on its website.
`28.
`In the T‐Mobile Privacy Notice (hereinafter “Privacy Notice”), which is effective
`as of May 5, 2021 and provided on Defendant’s website, Defendant states that “[Customers]
`
`trust T-Mobile to connect [customers] to the world every day, and we’re working hard to earn a
`
`place in [customers’] heart[s]. A big part of that is maintaining [customer] privacy.” 5
`29.
`Further in the Privacy Notice, Defendant promises to protect consumer’s Private
`Information and that it uses “administrative, technical, contractual, and physical safeguards
`designed to protect [customer] data while it is under our control.” 6
`30.
`However, Defendant failed to protect and safeguard Plaintiffs’ and Class
`Members’ Private Information. In fact, there is no indication that Defendant followed even its
`most basic promises. For example, T‐Mobile does not claim that any of the stolen Private
`Information was encrypted, including usernames and passwords.
`
`B.
`
`The Data Breach
`
`31.
`On or about August 15, 2021, media reports indicated that T‐Mobile was
`“investigating a forum post claiming to be selling a mountain of personal data” that had come
`from T‐Mobile servers that contained personal customer data. 7
`32.
`The reports also claimed that a portion of the stolen T‐Mobile customer data,
`including “30 million Social Security numbers and drivers licenses,” were being sold on the dark
`web for approximately $270,000. 8
`
`
`5 T‐Mobile Privacy Notice, T‐Mobile, https://www.t‐mobile.com/privacy‐center/our‐practices/privacy‐policy (last
`visited Aug. 19, 2021).
`6 Id.
`7 See Joseph Cox, T‐Mobile Investigating Claims of Massive Customer Data Breach, Vice (Aug. 15, 2021),
`https://www.vice.com/en/article/akg8wg/tmobile‐investigating‐customer‐data‐breach‐100‐million (last visited
`Aug. 19, 2021).
`8 Id.
`
`CLASS ACTION COMPLAINT ‐ 6
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 7 of 49
`
`
`
`33.
`On August 16, 2021, T‐Mobile released a statement that a sophisticated
`cyberattack had enabled “unauthorized access to some T‐Mobile data” by cyberthieves and
`that it had launched an investigation into the Data Breach. 9
`34.
`On August 17, 2021, T‐Mobile released a statement saying that “[while] our
`investigation is still underway and we continue to learn additional details, we have now been
`able to confirm that the data stolen from our systems did include some personal
`information.”10
`35.
`On August 19, 2021, T‐Mobile posted a “Notice of Data Breach” on its website,
`confirming that: “T‐Mobile learned that a bad actor illegally accessed personal data. Our
`investigation is ongoing, but we have verified that a subset of T‐Mobile data had been accessed
`by unauthorized individuals and the data stolen from our systems did include some personal
`information.” 11
`36.
`Also on August 19, 2019, T‐Mobile began texting the following notice, in part, to
`Class Members, including Plaintiffs Espanoza and Morales: “T‐Mobile has determined that
`unauthorized access to some of your personal data has occurred.”
`37.
`In addition, the initial investigation discovered that “7.8 million current T‐Mobile
`postpaid customer accounts’ information appears to be contained in the stolen files, as well as
`just over 40 million records of former or prospective customers who had previously applied for
`credit with T‐Mobile.” 12
`38.
`T‐Mobile also confirmed that the cyberthieves accessed and stole “customers’
`first and last names, date of birth, SSN, and driver’s license/ID information for a subset of
`
`
`9 T‐Mobile Cybersecurity Incident Update, T‐Mobile (Aug. 16, 2021), https://www.t‐
`mobile.com/news/network/cybersecurity‐incident‐update‐august‐2021 (last visited Aug. 19, 2021).
`10 Supra, note 1.
`11 See Notice of Data Breach: Keeping You Safe from Cybersecurity Threats, T‐Mobile (Aug. 19, 2021),
`https://www.t‐mobile.com/brand/data‐breach‐2021 (last visited Aug. 19, 2021).
`12 Supra, note 1.
`
`CLASS ACTION COMPLAINT ‐ 7
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 8 of 49
`
`
`
`current and former postpay customers and prospective T‐Mobile customers[,]” as well as
`“850,000 active T‐Mobile prepaid customer names, phone numbers and account PINs[.]” 13
`39.
`At this time, Defendant has not indicated how long the unauthorized third‐party
`had unfettered access to sensitive, protected, and confidential customer information stored on
`Defendant’s network, such as Plaintiffs’ and Class Members’ Private Information. Had
`Defendant taken its data security obligations more seriously, Defendant would have discovered
`and stopped the unauthorized intrusion sooner.
`40.
`Upon information and belief, the cyberattack was targeted at Defendant due to
`its status as a leading telecommunications company that collects and maintains valuable Private
`Information, such as Social Security numbers and financial information.
`41.
`The targeted cyberattack was expressly designed to gain access to private and
`confidential data, including (among other things) the Private Information of current, former,
`and prospective customers, like Plaintiffs and the Class Members.
`42.
`Because of this targeted cyberattack, data thieves were able to gain access to
`Defendant’s servers and subsequently access and exfiltrate the protected Private Information
`of Plaintiffs and Class Members.
`43.
`By Defendant’s own admission, “we have now been able to confirm that the data
`stolen from our systems did include some personal information” which means that Plaintiffs’
`and Class Members Private Information was exfiltrated as well, not merely viewed without
`authorization.
`44.
`The files accessed by this incident contained the following information: names,
`dates of birth, phone numbers, drivers’ licenses, government identification numbers, Social
`Security numbers, and T‐Mobile account PINs
`45.
`There is no indication that the Private Information contained in the stolen files
`was encrypted.
`
`13 Id.
`
`
`
`CLASS ACTION COMPLAINT ‐ 8
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 9 of 49
`
`
`
`46.
`Plaintiffs’ Private Information was accessed and stolen in the Data Breach.
`Plaintiffs further believe their stolen Private Information was subsequently sold on the Dark
`Web.
`
`47.
`Defendant’s offer of twenty‐four months of complimentary credit monitoring
`services is an acknowledgment by T‐Mobile that the impacted individuals are subject to a
`present and ongoing threat of fraud and identity theft.
`48.
`Defendant had obligations created by contract, industry standards, common law,
`and representations made to Plaintiffs and Class Members to keep their Private Information
`confidential and to protect it from unauthorized access and disclosure.
`49.
`Plaintiffs and Class Members provided their Private Information to Defendant
`with the reasonable expectation, and mutual understanding, that Defendant would comply
`with its obligations to keep such information confidential and secure from unauthorized access.
`
`C.
`
`Defendant Was Aware of the Risks of a Data Breach
`
`50.
`Defendant had obligations created by contract, industry standards, common law,
`and representations made to Plaintiffs and Members of the Classes, to keep their Private
`Information confidential and to protect it from unauthorized access and disclosure.
`51.
`Plaintiffs and Class Members provided their Private Information to Defendant
`with the reasonable expectation and mutual understanding that Defendant would comply with
`its obligations to keep such information confidential and secure from unauthorized access.
`52.
`Defendant’s data security obligations were particularly important given the
`substantial increase in cyber‐attacks and/or data breaches preceding the date of the breach.
`53.
`Data breaches have become widespread. For example, the United States saw
`1,244 data breaches in 2018 and had 446.5 million exposed records. 14
`
`
`14 98 Must‐Know Data Breach Statistics for 2021, Varonis, https://blogvaronis2.wpengine.com/data‐breach‐
`statistics/ (last visited Aug. 19, 2021).
`
`CLASS ACTION COMPLAINT ‐ 9
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 10 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`54.
`Defendant clearly understood this reality because a quote, posted on
`Defendant’s website, by a senior manager of T‐Mobiles Cyber Architecture & Controls unit
`stated that:
`
`
`is challenge[d] to think outside of
`At T‐Mobile, everyone
`conventional approaches to digital security; all know assumptions
`are reevaluated. We work on forward‐thinking technologies,
`including micro‐segmentation, machine
`learning, predictive
`analytics, web situational awareness, advance threat mitigation,
`active defense, data obfuscation and next‐generation endpoint
`technologies it. 15
`55.
`However, T‐Mobile failed to take fully implement data security systems and
`protect critical Private Information belonging to consumers.
`56.
`Indeed, data breaches, such as the one experienced by Defendant, have become
`so notorious that the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service have issued
`a warning to potential targets, so they are aware of, and prepared for, a potential attack.
`Therefore, the increase in such attacks, and attendant risk of future attacks, was widely known
`and completely foreseeable to the public and to anyone in Defendant’s industry, including
`Defendant.
`57.
`According to the Federal Trade Commission (“FTC”), identity theft wreaks havoc
`on consumers’ finances, credit history, and reputation and can take time, money, and patience
`to resolve.16 Identity thieves use stolen personal information for a variety of crimes, including
`government benefits fraud, phone or utilities fraud, and bank and finance fraud. 17
`
`
`15 Digital Security, T‐Mobile, https://www.t‐mobile.com/careers/digital‐security (last visited Aug. 19, 2021).
`16 See Taking Charge, What to Do If Your Identity is Stolen, FTC, 3 (Apr. 2013), https://dss.mo.gov/cd/older‐youth‐
`program/files/taking‐charge‐what‐to‐do‐if‐identity‐is‐stolen.pdf (last visited Aug. 19, 2021).
`17 Id. The FTC defines identity theft as “a fraud committed or attempted using the identifying information of
`another person without authority.” 16 CFR § 603.2. The FTC describes “identifying information” as “any name or
`number that may be used, alone or in conjunction with any other information, to identify a specific person,”
`including, among other things, “[n]ame, social security number, date of birth, official State or government issued
`driver's license or identification number, alien registration number, government passport number, employer or
`taxpayer identification number.” See Taking Charge, What to Do If Your Identity is Stolen, FTC, 3 (Apr. 2013),
`https://dss.mo.gov/cd/older‐youth‐program/files/taking‐charge‐what‐to‐do‐if‐identity‐is‐stolen.pdf (last visited
`Aug. 19, 2021).
`
`CLASS ACTION COMPLAINT ‐ 10
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 11 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`58.
`The Private Information of Plaintiffs and Members of the Classes was taken by
`hackers to engage in identity theft or and or to sell it to other criminals who will purchase the
`Private Information for that purpose. The fraudulent activity resulting from the Data Breach
`may not come to light for years.
`59.
`Defendant knew, or reasonably should have known, of the importance of
`safeguarding the Private Information of Plaintiffs and Members of the Classes, including Social
`Security numbers, driver’s license, and/or dates of birth, and of the foreseeable consequences
`that would occur if Defendant’s data security systems were breached, including, specifically,
`the significant costs that would be imposed on Plaintiffs and Members of the Classes a result of
`a breach.
`60.
`Plaintiffs and Members of the Classes now face years of constant surveillance of
`their financial and personal records, monitoring, and loss of rights. The Classes are incurring
`and will continue to incur such damages in addition to any fraudulent use of their Private
`Information.
`61.
`The injuries to Plaintiffs and Members of the Classes were directly and
`proximately caused by Defendant’s failure to implement or maintain adequate data security
`measures for the Private Information of Plaintiffs and Members of the Classes.
`
`D.
`
`Defendant Failed to Comply with FTC Guidelines
`
`62.
`The FTC has promulgated numerous guides for businesses which highlight the
`importance of implementing reasonable data security practices. According to the FTC, the need
`for data security should be factored into all business decision‐making.
`63.
`In 2016, the FTC updated its publication, Protecting Personal Information: A
`Guide for Business, which established cyber‐security guidelines for businesses. The guidelines
`note that businesses should protect the personal customer information that they keep;
`properly dispose of personal information that is no longer needed; encrypt information stored
`on computer networks; understand their network’s vulnerabilities; and implement policies to
`
`CLASS ACTION COMPLAINT ‐ 11
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 12 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`correct any security problems. The guidelines also recommend that businesses use an intrusion
`detection system to expose a breach as soon as it occurs; monitor all incoming traffic for
`activity indicating someone is attempting to hack the system; watch for large amounts of data
`being transmitted from the system; and have a response plan ready in the event of a breach.
`64.
`The FTC further recommends that companies not maintain Private Information
`longer than is needed for authorization of a transaction; limit access to sensitive data; require
`complex passwords to be used on networks; use industry‐tested methods for security; monitor
`for suspicious activity on the network; and verify that third‐party service providers have
`implemented reasonable security measures.
`65.
`The FTC has brought enforcement actions against businesses for failing to
`protect consumer data adequately and reasonably, treating the failure to employ reasonable
`and appropriate measures to protect against unauthorized access to confidential consumer
`data as an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act
`(“FTCA”), 15 U.S.C. § 45. Orders resulting from these actions further clarify the measures
`businesses must take to meet their data security obligations.
`66.
`Defendant failed to properly implement basic data security practices, and their
`failure to employ reasonable and appropriate measures to protect against unauthorized access
`to consumer Private Information constitutes an unfair act or practice prohibited by Section 5 of
`the FTCA, 15 U.S.C. § 45.
`67.
`Defendant was at all times fully aware of their obligation to protect the Private
`Information of current, former, and prospective customers. Defendant was also aware of the
`significant repercussions that would result from their failure to do so.
`
`E.
`
`Defendant Failed to Comply with Industry Standards
`
`68.
`A number of industry and national best practices have been published and
`should have been used as a go‐to resource and authoritative guide when developing
`Defendant’s cybersecurity practices.
`
`CLASS ACTION COMPLAINT ‐ 12
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 13 of 49
`
`
`
`69.
`Best cybersecurity practices that are standard in Defendant’s industry include
`encrypting files; installing appropriate malware detection software; monitoring and limiting the
`network ports; protecting web browsers and email management systems; setting up network
`systems such as firewalls, switches and routers; monitoring and protection of physical security
`systems; protection against any possible communication system; and training staff regarding
`critical points.
`70.
`Defendant failed to meet the minimum standards of the following cybersecurity
`frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC‐
`1, PR.AC‐3, PR.AC‐4, PR.AC‐5, PR.AC‐6, PR.AC‐7, PR.AT‐1, PR.DS‐1, PR.DS‐5, PR.PT‐1, PR.PT‐3,
`DE.CM‐1, DE.CM‐4, DE.CM‐7, DE.CM‐8, and RS.CO‐2), and the Center for Internet Security’s
`Critical Security Controls (CIS CSC), which are established standards in reasonable cybersecurity
`readiness.
`71.
`These foregoing frameworks are existing and applicable industry standards in
`Defendant’s industry, and Defendant failed to comply with these accepted standards, thereby
`opening the door to the Cyber‐Attack and causing the Data Breach.
`
`F.
`
`Defendant’s Breach
`
`72.
`T‐Mobile breached its obligations to Plaintiffs and Class Members and/or was
`otherwise negligent and reckless because it failed to properly maintain and safeguard its
`computer systems and data. T‐Mobile’s unlawful conduct includes, but is not limited to, the
`following acts and/or omissions:
`a.
`Failing to maintain an adequate data security system to reduce the risk of
`data breaches and cyberattacks;
`Failing to adequately protect current, former, and prospective customers’
`Private Information;
`Failing to properly monitor its own data security systems for existing
`intrusions;
`
`b.
`
`c.
`
`CLASS ACTION COMPLAINT ‐ 13
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 14 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`d.
`
`Failing to comply with FTC guidelines for cybersecurity, in violation of
`Section 5 of the FTC Act, and;
`e.
`Failing to adhere to industry standards for cybersecurity.
`73.
`T‐Mobile negligently and unlawfully failed to safeguard Plaintiffs’ and Class
`Members’ Private Information.
`74.
`Accordingly, as outlined below, Plaintiffs and Class Members now face an
`increased risk of fraud and identity theft. In addition, Plaintiffs and the Class Members also lost
`the benefit of the bargain they made with T‐Mobile.
`
`G.
`
`The Value of Private Information to Cyber Criminals and Increased Risk of Fraud and
`Identity Theft to Consumers
`
`75.
`Businesses that store personal information are likely to be targeted by cyber
`criminals. Credit card and bank account numbers are tempting targets for hackers. However,
`information such as dates of birth and Social Security numbers are even more attractive to
`hackers; they are not easily destroyed and can be easily used to perpetrate identity theft and
`other types of fraud.
`76.
`The Private Information of individuals remains of high value to criminals, as
`evidenced by the prices they will pay through the dark web. Numerous sources cite dark web
`pricing for stolen identity credentials. For example, personal information can be sold at a price
`ranging from $40 to $200, and bank details have a price range of $50 to $200. 18
`77.
`Social Security numbers, for example, are among the worst kind of personal
`information to have stolen because they may be put to a variety of fraudulent uses and are
`difficult for an individual to change. The Social Security Administration (“SSA”) stresses that the
`loss of an individual’s Social Security number, as is the case here, can lead to identity theft and
`extensive financial fraud:
`
`
`18 See Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, (Oct. 16, 2019),
`https://www.digitaltrends.com/computing/personal‐data‐sold‐on‐the‐dark‐web‐how‐much‐it‐costs (last visited
`Aug. 19, 2021).
`
`CLASS ACTION COMPLAINT ‐ 14
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103‐8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:21-cv-01119 Document 1 Filed 08/19/21 Page 15 of 49
`
`
`
`A dishonest person who has your Social Security number can use it
`to get other personal informat