BELLEVUE, Wash. — The Attorney General (AG) is suing Bellevue-based T-Mobile for “failing to adequately secure sensitive personal information of more than 2 million Washingtonians,” according to a news release.
Washington AG Bob Ferguson said the failure led to a “massive data breach” that exposed the personal information of the affected consumers, making them vulnerable to fraud and identity theft.
Other MyNW news: Mercer Island police investigate middle school vandalism, hate crime
The lawsuit, filed in King County Superior Court, claimed T-Mobile knew about the security issues for years, but didn’t do enough to fix them. The AG’s Office also claimed the company was not correct in saying it prioritizes protecting its customers’ data. It also alleged T-Mobile failed to properly notify the impacted Washingtonians of the data breach, downplayed its severity and did not disclose all the information that was compromised.
The AG’s Office believes the massive data breach was the company’s fault.
“This significant data breach was entirely avoidable,” Ferguson said in the release. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems and it failed.”
The data breach started in March 2021 and was not discovered until August 12, 2021, the AG’s Office explained. The company found out a hacker gained access to the company’s internal network when an anonymous source notified the company that its customers’ data was posted for sale on the dark web.
The breach exposed the personal information of more than 79 million customers across the country, with 2,025,634 of those in Washington. Of those, 183,406 Washingtonians had their Social Security numbers compromised, the release stated.
The company sent out a text that said in part, “T-Mobile has determined that unauthorized access to some of your personal data has occurred. We have no evidence that your debit/credit card information was compromised.” The text left out any information about social security numbers being compromised.
“Because T-Mobile’s breach notifications omitted critical information and downplayed the severity, it affected consumers’ ability to adequately assess their risk of identity theft or fraud,” the news release stated.
T-Mobile sent the following response to KIRO Newsradio on Monday.
“We have had multiple conversations about this incident from 2021 with the Washington AG’s office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit today came as a surprise.
While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers.”
Local crime: Man charged in Metro bus stabbing pleads not guilty
According to The Associated Press, In July 2022, T-Mobile agreed to pay $350 million to customers affected by a class-action lawsuit filed by the Securities and Exchange Commission after the company disclosed personal data was stolen. However, the company said the settlement contained no admission of liability, wrongdoing or responsibility by any of the defendants.
Ferguson’s lawsuit, according to the AG’s Office, seeks civil penalties and institutions for those in Washington who were harmed by the data breach.
T-Mobile was awarded the naming rights to the Seattle Mariners’ stadium in 2019 for $87.5 million. The agreement between T-Mobile and the ballpark is expected to last 25 years.
Contributing: Anne D’Innocenzio, The Associated Press
Julia Dallas is a content editor at MyNorthwest. You can read her stories here. Follow Julia on X here and email her here.
©2025 Cox Media Group
