Washington state is suing T-Mobile for allegedly failing to address cybersecurity vulnerabilities that enabled a hacker to expose the personal data of 79 million people nationwide. The consumer protection lawsuit filed by Washington Attorney General Bob Ferguson on Monday stems from a cyberattack that began in March 2021 and went unnoticed until T-Mobile disclosed the breach in August.

The filing asserts that T-Mobile failed to address certain security vulnerabilities that the company was aware of “for years,” and did not properly notify more than two million Washington residents who were impacted by the breach. The lawsuit accuses T-Mobile of downplaying the severity of the breach, which exposed the personal information of current, former, and prospective customers — including their names, phone numbers, physical addresses, dates of birth, Social Security numbers, and driver’s license / ID numbers.

The notifications that T-Mobile issued about the data breach violated the Consumer Protections Act by omitting key information that made it difficult for people to assess if they were at risk of identity theft or fraud, according to the filing. The lawsuit also says that T-Mobile “did not meet industry standards for cybersecurity” for years prior to the hack, and used “obvious passwords” to protect accounts that could access consumer information.

“This significant data breach was entirely avoidable,” Ferguson said in a statement. “T-Mobile had years to fix key vulnerabilities in its cybersecurity systems — and it failed.”

This isn’t the first time that Washington state has taken action against T-Mobile, with Ferguson having successfully persuaded the company to make clear the limitations of its “no-contract” wireless service plan back in 2013.

Ferguson’s latest lawsuit is seeking compensation for customers impacted by the 2021 breach and a court order that would force T-Mobile to bring its cybersecurity practices in line with industry standards, alongside improving transparency and communication around future data breaches. This follows T-Mobile paying $350 million in 2022 to settle a class-action lawsuit stemming from the 2021 hack, and a further $15.75 million fine last year over an FCC investigation into its repeated cybersecurity incidents.