PORTLAND, Ore. (KOIN) – Washington Attorney General – and Governor-elect – Bob Ferguson filed a lawsuit against T-Mobile on Monday, claiming security failures by the company led to a “massive” data breach.

The lawsuit, filed in King County Superior Court, alleges that T-Mobile knew about certain cybersecurity vulnerabilities for years, but did not do enough to address them.

Additionally, Ferguson argues that the company misrepresented how the company prioritizes the personal data it collects, and that T-Mobile failed to properly notify Washingtonians who were impacted by the breach by “downplaying its severity and sending notices to affected consumers that did not disclose all the information that had been compromised,” the Attorney General’s Office said. 

“This significant data breach was entirely avoidable,” Ferguson said in a statement. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”

According to the Attorney General’s Office, T-Mobile discovered that a hacker gained access to its internal network in August of 2021, and exposed personal information of nearly 80 million customers, including 2 million Washingtonians.

Of the 2 million Washingtonians who had their data breached, officials said over 180,000 had their Social Security numbers compromised. Other compromised data included phone numbers, names, addresses, and driver’s license information.

According to the Attorney General’s Office, the data breach started in March 2021 and continued until August 12, 2021.

Because of a lack of adequate security monitoring, T-Mobile was unaware of the breach until an anonymous outside source told the company that customer data was posted for sale on the dark web, the lawsuit alleges.

T-Mobile customers received brief text messages from the company, alerting them of the breach; however, the messages left out “critical and legally required information," according to the Attorney General’s Office,

Additionally, current customers whose Social Security numbers were exposed did not receive any information on that exposure, the state alleges.

Years before August 2021, T-Mobile “did not meet industry standards for cybersecurity and knew about these vulnerabilities,” the Attorney General’s Office claims, noting filings with the federal Securities and Exchange Commission in 2020 said T-Mobile was a target of numerous cyberattacks.

The lawsuit alleges that the security failures violated Washington’s Consumer Protection Act and that the 2021 data breach was a direct result of “T-Mobile’s lack of accountability.”

The suit seeks civil penalties and restitution for the victims, along with an injunctive relief to require the company to improve its cybersecurity policies and cybersecurity communication to customers.

In a statement to KOIN 6 News on Monday, T-Mobile called the lawsuit a “surprise.”

“We have had multiple conversations about this incident from 2021 with the Washington AG's office over the last several years and even reached out in late November to continue discussions, so the office’s decision to file a lawsuit today came as a surprise,” T-Mobile said. “While we disagree with their approach and the filing’s claims, we are open to further dialogue and welcome the opportunity to resolve this issue, as we have already done with the FCC. We also look forward to sharing how T-Mobile has fundamentally transformed our approach to cyber security over the past four years to further protect our customers.”