Updated below with T-Mobile statement.
A new court petition alleges that T-Mobile is refusing to fully comply with investigative demands from law enforcement authorities in its home state who have been probing the company’s security practices since a breach nearly two years ago that impacted 76 million customers across the country.
“Throughout this investigation, T-Mobile has either provided insufficient responses, or refused to respond outright, to the State’s Civil Investigative Demands (CIDs), all while continuing to suffer repeated data breaches,” alleges the office of Washington state Attorney General Bob Ferguson in the filing.
The petition, filed Thursday in King County Superior Court in Seattle, seeks a court order requiring the Bellevue, Wash.-based company to comply with a series of investigative questions and requests for documents.
T-Mobile said in a statement, “We are continuing to review this filing but were surprised to see that the AG’s office excluded the fact that they were part of the multi-state investigation where they were given access to over one hundred pages of narrative responses and thousands of documents. Our response will provide the Court with a more complete record of this investigation.”
The AG’s filing says T-Mobile is declining to fully comply on the grounds that “all information relevant to the August 2021 Breach has already been produced to other regulatory agencies and provided to Washington.”
The company is also making the case that “materials related to previous security incidents and revenue derived from user data are beyond the scope of the State’s investigation,” the filing says.
In July 2022, T-Mobile agreed to a settlement totaling $500 million to resolve consumer class-action claims, which was one of the largest data breach payouts in US history. The settlement consisted of $350 million for consumers and $150 million to upgrade the company’s data protection.
The company disclosed additional data breaches in February and March of this year.
“We’ve had a couple of bad events over the last few years that have really knocked us on our side,” acknowledged T-Mobile CEO Mike Sievert at a Technology Alliance luncheon in Seattle in May.
However, he called the breaches “a catalyst for even more focus in this area to make sure we have the right technology, the right architecture that’s fundamentally protected, and the right level of investment.”
Among other claims, the filing accuses T-Mobile of sidestepping requests for information about its security practices by inviting the AG’s office to a presentation on updated security practices rather than providing requested information, and later asserting that by declining the invitation, the state had forfeited its rights to the requested data.
“Withheld documents include internal security audits, board meeting minutes, presentations, reports, charts/tables, memos, and notes,” the AG’s filing says. “By way of example, when asked to provide the names of audits performed, T-Mobile made clear that it views the names of internal audits themselves as privileged.”
The AG’s filing itself is heavily redacted, including two long blocks of blacked-out text under the “Factual Background” section of the petition. Other redacted sections include the details of the AG’s claim that T-Mobile “instructed a security vendor to designate material as privileged regardless of its content.”
GeekWire has asked the AG’s office to provide the legal justification for the redactions. Here’s the full text of the petition.
STATE OF WASHINGTON, Petitioner, v. T-MOBILE USA, INC., Respondent. by GeekWire on Scribd