On January 22, 2023, T-Mobile was sued in federal court in California alleging negligence, unjust enrichment, breach of express contract, breach of implied contract, and invasion of privacy over the recently-disclosed data breach of more than 37 million postpaid and prepaid customer records.
According to the complaint, the plaintiff was informed just two days before suit was filed that information belonging to her and other class members was “accessed and acquired by the unauthorized actor” and that class members “are at imminent risk of identity theft.”
On the other hand, T-Mobile has stated in a recently filed Form 8-K that the threat actor obtained data through a single API (application programming interface), that the company discovered and stopped it within one day, and that the threat actor was unable to compromise its systems or network. Significantly, T-Mobile stated that the data accessed by the bad actor did not include any financial information or Social Security numbers. Instead, the data accessed included customers’ “names, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.”
Based on the facts presented by T-Mobile, we expect that the company will vigorously defend the suit and a motion to dismiss the complaint will be forthcoming. There is strong precedent that requires plaintiffs to prove substantial harm in order to withstand a motion to dismiss. No matter how this particular case plays out, what is astounding is the speed at which suits are filed after a data breach is announced, no matter the facts.