On August 15, reports began circulating that T-Mobile suffered a data breach that may have affected between 53 million and 100 million customers. Only four days later, putative class actions began being filed across the country. Two of those putative class actions, Espanoza et al v. T-Mobile USA Inc and Daruwalla et al v. T-Mobile USA, Inc., were filed in the Western District of Washington, where T-Mobile USA is headquartered.
The Espanoza complaint defines the victims as the “approximately 40 million former or prospective customers who applied for credit with T‐Mobile, 7.8 million current postpaid customers, and 850,000 active prepaid customers.”
On Friday, media reported T-Mobile’s new disclosure of additional affected customers, bringing the current total to more than 53 million customers. Further, the Daruwalla complaint repeated the attackers’ claim that the T-Mobile breach affected “more than 100 million individuals, meaning … all or nearly all T-Mobile customers.”
The Daruwalla complaint defines its putative classes as “All U.S. residents whose data was exfiltrated in the Data Breach” (Nationwide Class) and “All California residents whose data was exfiltrated in the Data Breach” (California Class).
The Espanoza complaint seeks to define the class to include “all persons whose Private Information was compromised as a result of Defendant’s negligence and failure to: (i) adequately protect its customer’s Private Information, (ii) warn its current, former, and potential customers of their inadequate information security practices, and (iii) effectively monitor their data systems for security vulnerabilities and incidents. Defendant’s conduct amounts to negligence and violates federal and state statutes.”
The complaints allege that the breach involved unauthorized access and exfiltration of putative class members’ private information, including:
- names
- addresses
- dates of birth
- phone numbers
- drivers’ licenses
- government identification numbers
- Social Security numbers
- Dates of birth
- Unique IMSI and IMEI numbers (that identify particular mobile devices and SIM cards)
- T‐Mobile account PINs
The Espanoza and Daruwalla lawsuits allege various causes of action, including:
- Negligence and negligence per se
- Unjust enrichment
- Breach of implied contract
- Breach of confidence
- Declaratory judgment
- Allegations under laws of various states (e.g., California, Washington), including the California Consumer Protection Act (CCPA)
These cases and future federal putative class actions may ultimately be consolidated through federal multidistrict litigation (MDL) proceedings and state-court analogues.
The named plaintiffs in the Espanoza case are represented by the Terrell Marshall Law Group.
The named plaintiffs in the Daruwalla case are represented by Tousley, Brain, Stephens PLLC; MoginRubin LLP; and Hausfeld LLP.