T-Mobile US customers filed a series of class action lawsuits accusing the company of negligence after hackers exposed personal data belonging to millions of its current, former and prospective users.

At least three lawsuits have been filed so far in a district court, all demanding jury trials.

Two of the complaints accuse T-Mobile of violating the US Federal Trade Commission (FTC) Act, which prohibits companies from engaging in “unfair or deceptive” activities, including failure to maintain appropriate security measures to safeguard customer information.

In one of the filings, the plaintiff noted the FTC provided cybersecurity guidelines for businesses advising them not to maintain personally identifiable information “longer than is needed for authorisation of a transaction”.

T-Mobile last month revealed hackers accessed the names, social security numbers, birth dates and driver licence numbers of approximately 48 million people in total, 40 million of which had previously applied for credit and so may fall under the remit of the FTC law.

Another class action suit accuses T-Mobile of violating the California Consumer Privacy Act, which assigns specific penalties to companies which allow unauthorised access to their customers’ data.

Penalties are set at $100 to $750 per consumer or incident, or actual damages, whichever is found to be larger.

In a blog following the data breach, T-Mobile CEO Mike Sievert explained it is working with law enforcement agencies to investigate the incident, which he stated was perpetrated by one individual.

A 21-year-old hacker named John Brinns claimed responsibility for the attack, but T-Mobile did not confirm this.