T-Mobile is facing a new lawsuit from the Washington State Attorney General over its handling of a 2021 data breach that compromised the personal information of 79 million customers. The lawsuit, filed by Attorney General Bob Ferguson, accuses the telecommunications giant of failing to secure its systems despite knowing of cybersecurity vulnerabilities for years prior to the breach.

According to Ferguson, the breach exposed sensitive data, including names, addresses, phone numbers, Social Security numbers, and driver’s license information. More than 2 million Washington residents were affected, with at least 183,000 having their Social Security numbers stolen. The cyberattack, which started in March 2021, went undetected until August of that year.

Ferguson stated, “This significant data breach was entirely avoidable. T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”

The hackers exploited an “easily guessable username and password” and a lack of adequate security monitoring. Ferguson’s lawsuit alleges that T-Mobile failed to meet industry cybersecurity standards, which allowed the attack to go unnoticed for months. The breach was only discovered after an outside source reported that customer data was being sold on the dark web.

According to TechCrunch, the lawsuit also claims that T-Mobile misled customers about the severity of the breach. Notifications sent to affected individuals reportedly left out critical information, making it difficult for them to assess their risk of identity theft.

This is not the first time T-Mobile has faced legal consequences for its cybersecurity failures. The company suffered at least two data breaches in 2023 alone, reaching its ninth major security incident since 2018. In response to the lawsuit, a T-Mobile spokesperson told The Record that the company was surprised, stating that it had been in discussions with the Washington Attorney General’s office about the issue.

T-Mobile disagrees with the lawsuit’s claims but says it remains open to further discussions. The company also emphasized that it has improved its cybersecurity practices in recent years.