Trump Mobile confirmed it exposed customers’ names, email addresses, mailing addresses, phone numbers, and order identifiers to the open internet. The company says it’s “evaluating” whether to notify those customers — a decision framed by state breach notification laws, including California Civil Code § 1798.82, which requires notice any time personal data is acquired without authorization.
Company spokesperson Chris Walker told TechCrunch the data exposure was traced to an unnamed third-party platform provider. Walker said the company found no evidence that content or financial information was compromised and no breach of Trump Mobile’s own network, systems, or infrastructure.
The exposure came to light through an indirect path. A security researcher discovered the open data, couldn’t reach Trump Mobile to report it, and alerted YouTubers Coffeezilla and penguinz0, both of whom had preordered the company’s T1 phone. Both confirmed their own data was publicly accessible and said they also tried notifying the company and got no response.
That’s the real legal wedge. California’s law triggers on “acquisition” by an unauthorized person, not mere access. If Trump Mobile can argue no one actually downloaded the data, only accessed it, the notification clock arguably doesn’t start. Under California’s data breach reporting rules, companies affecting more than 500 state residents must also notify the attorney general.
The exposed order data reportedly put Trump Mobile’s total orders at roughly 30,000, far short of the 590,000 preorders cited in earlier press coverage. The company hasn’t said when it expects to complete its notification evaluation, but California residents don’t stop being California residents while the company deliberates.
James Okafor