T-Mobile Sim Swap Incident Resulted in $275K Theft from Victim’s Coinbase Account
SAMPLE COMPLAINT AGAINST T-MOBILE USA, INC.
The information provided here does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Readers of this post should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information of this sample arbitration complaint without first seeking legal advice from counsel in the relevant jurisdiction.
AMERICAN ARBITRATION ASSOCIATION COMPLAINT SAMPLE
Claimant, by and through his attorney, Max Dilendorf, brings this against Respondent T-Mobile USA, Inc. (“T-Mobile”, “Respondent”) pursuant to the Federal Communications Act, a common law theory of gross negligence, a common law theory of negligent hiring, retention, and supervision; and the Computer Fraud and Abuse Act.
INTRODUCTION
- This action arises out of T-Mobile USA, Inc.’s (hereinafter “T-Mobile”) systemic and repeated failures to protect and safeguard its customers’ highly sensitive personal and financial information against common, widely reported, and foreseeable attempts to illegally obtain such information.
- As a result of T-Mobile’s misconduct as alleged herein, including their gross negligence in failing to protect customer information, its negligent hiring and supervision of customer support personnel, and its violations of federal and state laws designed to protect wireless service consumers, Claimant lost 4.13834669 (“BTC”), with a current estimated value in excess of $ 275,365.91 due to an account takeover scheme (also known as a “SIM-swap”) which could not have occurred but for Respondent’s intentional actions and negligent practices, as well as their repeated failure to adhere to federal and state laws.
PARTIES
- Claimant is a resident of State of Texas.
- Respondent is a Delaware corporation with principal place of business in the State of Washington.
FACTUAL BACKGROUND RELEVANT TO ALL CAUSES OF ACTION
- T-Mobile markets and sells wireless cellular phone service through standardized wireless service plans via various retail locations, online sales, and over the telephone.
- T-Mobile has approximately 600 stores in Texas. See https://www.t-mobile.com/store-locator/tx, which lists all T-Mobile storefronts in Texas by town.
- The Respondent has a substantial advertising budget, amounting to $2.2 billion in 2021. It is estimated they spend millions annually marketing their services to residents of Texas. See https://www.statista.com/statistics/760050/ad-spending-of-t-mobile-in-the-us/.
- T-Mobile maintains accounts for its wireless customers, enabling them to access information about the services they purchase from T-Mobile.
- It is widely recognized and has been widely publicized that mishandling of customer wireless accounts, including, but not limited to, allowing unauthorized access, can facilitate identity theft and related consumer harm.
- Numerous instances of mishandling of customer account information have occurred at T-Mobile. Many major media outlets have written about T-Mobile’s SIM swap hacks. These publications include, but are not limited to: The Washington Post[1], Yahoo![2], Law 360[3], CoinDesk[4], The New York Post[5], Wired[6], as well as various local media affiliates of major news outlets[7]. Further, Vice wrote an article in 2020 regarding Verizon Wireless’s attempts increase protection for users against SIM swaps, urging other mobile phone carriers, including T-Mobile, to do the same[8].
- As one of the nation’s largest wireless carriers, T-Mobile’s operations must comply with various federal and state statutes, including (but not limited to) the Federal Communications Act (“FCA”) 47 U.S.C. §222.
- The FCA obligates T-Mobile to protect the “confidentiality of proprietary information of [its] customers” and “customer proprietary network information” (commonly referred to as “CPI” and “CPNI”, respectively). See 47 U.S.C. §222(a), (c).
- The Federal Communications Commission (“FCC”) has promulgated rules to implement Section 222 of the FCA “to ensure that telecommunications carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI.” In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007); see also 47 C.F.R. §64.2001 et seq. (“CPNI Rules”).
- The CPNI Rules limit disclosure and use of CPNI without customer approval to certain limited circumstances (such as cooperation with law enforcement), none of which are applicable to the facts here. See 47 C.F.R. §64.2005.
- The CPNI Rules also require carriers to implement safeguards to protect customers’ CPNI. See 47 C.F.R. §64.2009(b), (d), and (e).
- These safeguards include: (a) training personnel “as to when they are and are not authorized to use CPNI”; (b) establishing “a supervisory review process regarding carrier compliance with the rules”; and (c) filing annual compliance certificates with the FCC. Id.
- The CPNI Rules further require carriers to implement measures to prevent the disclosure of CPNI to unauthorized individuals. For example, “carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” 47 C.F.R. §64.2010(a).
- T-Mobile regularly holds itself out to the general public as a secure and reliable custodian of customer data, including customer’s confidential financial and personal information. As an example, T-Mobile explicitly states that “when you contact us by phone or visit us in our stores, we have procedures in place to make sure that only the primary account holder or authorized users have access.” See https://www.t-mobile.com/privacy-center/our-practices/privacy-policy.
- T-Mobile maintains that it uses a variety of “administrative, technical, contractual, and physical safeguards” to protect customers’ data “against security incidents, and illegal, fraudulent, or unauthorized activities; investigate suspicious traffic, cybersecurity threats or vulnerabilities, complaints, and claims; authenticate your credentials for account access and information and provide other security protections, as of August 9, 2021. Id.
- Upon information and belief, T-Mobile’s sales and marketing materials make similar representations regarding T-Mobile’s alleged implementation of various safeguards to protect its customers’ private information (as required by statutes).
- T-Mobile’s deceptive statements are designed to cover up for the fact that it is aware their security procedures can and do fall short of their expressed and implied representations and promises, as well as their statutory duties.
- Such failures, which lead to unauthorized access of customers’ information, were entirely foreseeable by T-Mobile, especially given the wide media coverage of such hackings prior to the event in dispute here.
A. SIM CARD SWAP
- As T-Mobile is aware, various forms of account takeover fraud have been widely reported in the press, by government regulators (including the Federal Trade Commission (“FTC”) and the FCC), academic publications, and multiple lawsuits across the country.
- These illegal schemes involve criminals and fraudsters gaining access to or “hijacking” customer wireless accounts, which often include sensitive personal and financial information, to induce third parties to conduct transactions with individuals they believe to be legitimate or known to them.
- Sometimes these schemes are perpetrated by employees of the wireless carriers, such as T-Mobile.
- One of the most damaging and pervasive forms of account takeover fraud is known as a “SIM-Swap”, whereby a third-party (with the help of a wireless carrier like T-Mobile) is allowed to transfer access to a customer’s cellular phone number from the customer’s registered “subscriber identity module” card (or “SIM card”) – to a SIM card controlled by the third party.
- A SIM Card has a complete record of a user’s cell phone history, inclusive of text messages, calls, and any applications which a user has downloaded.
- A SIM swap is when a hacker convinces a carrier to switch a phone number over to a SIM card they own. Once a hacker has access to the phone number, they control the text-based two-factor authentication checks specifically designed to add a layer of protection to sensitive accounts such as bank accounts, social media accounts, and email accounts.
- The wireless carrier, however, must effectuate the SIM card reassignment. Therefore, “SIM-swapping” is not an isolated criminal act, as it requires the wireless carrier’s active involvement to swap the SIM containing information regarding its customer to an unauthorized person’s phone.
- Indeed, unlike a direct hack of data, whereby a company like T-Mobile plays a more passive role, SIM-swaps are ultimately effectuated by the wireless carrier itself. For instance, in this case, it is T-Mobile that approved and allowed the SIM card change (without Claimant’s authorization), as well as all of the subsequent telecommunication activity that was used to access Claimant’s online accounts and cause the injuries suffered by Claimant.
- As such, by directly or indirectly exceeding authorized access to customer accounts, wireless carriers such as T-Mobile may be liable under state and federal statutes, such as the Federal Communications Act (“FCA”).
- Once a third-party has access to the legitimate user’s SIM card data, it can then seamlessly impersonate that legitimate user (e.g., in communicating with others or contacting various vendors).
- A common target of SIM-swapping and account takeover fraud are individuals known, or expected, to hold cryptocurrency, because account information is often contained on users’ cellular phones, allowing criminals to transfer the legitimate user’s cryptocurrency to an account controlled by the third-party.
- The Federal Communications investigated T-Mobile and on February 28, 2020 released a report which read as follows:
The American public and federal law consider such information highly personal and sensitive—and justifiably so. As the Supreme Court has observed, location data associated with wireless service “provides an intimate window into a person’s life, revealing not only his particular movements, but through them his familial, political, professional, religious, and sexual associations.”4 Section 222 of the Communications Act requires carriers to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information. The Commission has advised carriers that this duty requires them to take “every reasonable precaution” to safeguard their customers’ information. The Commission has also warned carriers that the FCC would “[take] resolute enforcement action to ensure that the goals of section 222 are achieved.
Today, we do exactly that. In this Notice of Apparent Liability, we propose a penalty of $91,630,000 against T-Mobile USA, Inc. (T-Mobile or Company) for apparently violating section 222 of the Communications Act and the Commission’s regulations governing the privacy of customer information. We find that T-Mobile apparently disclosed its customers’ location information, without their consent, to third parties who were not authorized to receive it. In addition, even after highly publicized incidents put the Company on notice that its safeguards for protecting customer location information were inadequate, T-Mobile apparently continued to sell access to its customers’ location information for the better part of a year without putting in place reasonable safeguards—leaving its customers’ data at unreasonable risk of unauthorized disclosure. In the Matter of T-Mobile USA, Inc., File No. EB-TCD-18-00027702 (February 28, 2020), page 1786.
- The prevalence of SIM-swap fraud and T-Mobile’s knowledge of such fraud, including, but not limited to that performed with the active participation of its own employees, demonstrates that what happened with Claimant’s account was neither an isolated incident nor an unforeseeable event.
- As a regulated wireless carrier, T-Mobile has a well-established duty – one which it freely acknowledges on its corporate website – to protect the security and privacy of CPI and CPNI from unauthorized access and T-Mobile is obligated to certify its compliance with this mandate to the FCC every year. See, g., https://www.t-mobile.com/privacy-center/education-and-resources/cpni.
- The FCA expressly restricts carriers like T-Mobile from unauthorized disclosure of CPNI.
- In light of the above, at the time of the events at issue in the present case, T-Mobile was keenly aware of its obligations, as well as multiple weaknesses in its internal processes and procedures to authenticate legitimate customers.
- The failure of T-Mobile to have proper safeguards and security measures as recommended by the FCC resulted in damages to Claimant in an amount to be determined at trial.
B. LACK OF SECURITY PROTOCOLS
- T-Mobile has been on notice for years that their security measures were not adequate. Despite this, sufficient security measures were not in place to prevent this SIM Card swap and the corresponding theft.
- A SIM swapping attack is otherwise known as SIM splitting, SIM jacking, SIM hijacking, and port-out scamming. It’s a scam that happens when fraudsters use the weakness of two-factor authentication and verification which involves the second step of the process: receiving a text message or phone call to your cellphone number.
- Despite this knowledge of inherent security flaws, T-Mobile and its officers and directors acted with a conscious and reckless disregard for the security of their customers, failing to ratify and implement policies that would protect its customers’ accounts.
- A valid driver’s license and a valid pin/security code should have been required in order to port a number to a new phone.
- Security measures should have been in place which required the original SIM to be present in order for that information to be placed onto a new device.
- The fact that Claimant’s number was ported over without the original SIM device being present and without a valid ID corroborating Claimant’s identity points to either completely substandard security procedures or this being an inside job by a T-Mobile Representative.
- T-Mobile should require SIM Card swaps to be done in person via their extensive network of stores.
- T-Mobile Representatives were either complicit with the theft or grossly negligent.
- T-Mobiles’ officers and directors exhibited a conscious and reckless disregard for the security of its customers by failing to implement sufficient security protocols.
- Claimant has filed a police report with The Police Department.
C. FACTS RELATING TO THE EVENT IN DISPUTE
- Claimant is a T-Mobile customer.
- On or about November 2021, Claimant realized that there was no service.
- On December 2021, T-Mobile sent Claimant a letter acknowledging the unauthorized activity on Claimant’s account.
- During the breach, the hackers were able to disable Coinbase’s notification system, thus enabling them to make undetected transfers from Claimant’s Account.
FIRST CAUSE OF ACTION: VIOLATION OF THE FEDERAL COMMUNICATION ACT
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- The FCA regulates interstate telecommunications carriers, including T-Mobile.
- T-Mobile is a “common carrier” or a “telecommunications carrier” engaged in interstate commerce by wire for the purpose of furnishing communication services within the meaning of Section 201(a) of the FCA. See 47 U.S.C. §201(a).
- As a “common carrier”, T-Mobile is subject to the substantive requirements of Sections 201 through 222 of the FCA. See 47 U.S.C. §§201-222.
- Under Section 201(b) of the FCA, common carriers may implement only those practices, classifications, and regulations that are “just and reasonable.” Practices that are “unjust or unreasonable” are unlawful.
- Section 206 of the FCA, entitled “Carriers’ liability for damages” provides:
In case any common carrier shall do, or cause or permit to be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, or shall omit to do any act, matter, or thing in this chapter required to be done, such common carrier shall be liable to the person or persons injured thereby for the full amount of damages sustained in consequence of any such violation of the provisions of this chapter, together with a reasonable counsel or attorney’s fee, to be fixed by the court in every case of recovery, which attorney’s fee shall be taxed and collected as part of the costs in the case.
- Section 207 of the FCA, entitled “Recovery of damages” further provides:
Any person claiming to be damaged by any common carrier subject to the provisions of this chapter may either make complaint to the [FCC] as hereinafter provided for, or may bring suit for the recovery of the damages for which such common carrier may be liable under the provisions of this chapter, in any district court of the United States of competent jurisdiction; but such person shall not have the right to pursue both remedies.
- Additionally, Section 222(c) of the FCA explicitly requires that telecommunications carriers protect its customers’ CPNI. See 47 U.S.C. §222(c).
- According to the CPNI Rules:
Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated contact, online account access, or an in-store visit.
…
In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier’s retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer’s account information. In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007).
T-Mobile violated its duties under Section 222 of the FCA by failing to protect Claimant’s CPI and CPNI by using, disclosing, or permitting access to Claimant’s CPI and CPNI without the consent, notice, and/or legal authorization of Claimant as required by the FCA, in that upon information and belief:
- during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone other than Claimant by an agent of Respondent;
- during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone who was not properly authenticated by Respondent during an in-store visit, or over the phone. Claimant’s CPI and CPNI were disclosed to someone who did not first present a valid photo ID to Respondent.
- As alleged herein, T-Mobile failed to protected the confidentiality of Claimant’s CPI and CPNI when it disclosed Claimant’s CPI and CPNI to third-parties without Claimant’s authorization or permission.
- T-Mobile’s conduct, as alleged herein, constitute knowing violations of the FCA, including sections 201(b) and 222, as well as the CPNI Rules.
- T-Mobile is also liable for the acts, omissions, and/or failures, as alleged herein, of its officers, employees, agents, or any other persons acting for or on behalf of T-Mobile.
- T-Mobile’s violation of the FCA allowed unauthorized parties to impersonate Claimant in transactions with others.
- T-Mobile violated the FCA, including Section 222, by allowing an unauthorized party to access Claimant’s CPI and CPNI, resulting in, inter alia, Claimant’s loss of his possessions, including 4.13834669 Bitcoin.
- As a direct consequence of T-Mobile’s violations of the FCA, Claimant has been damaged through the loss of his property, namely 4.13834669 Bitcoin.
- Had T-Mobile not allowed the unauthorized access to Claimant’s account, Claimant would not have suffered this loss.
- T-Mobile, by its inadequate procedures, practices, and regulation, engages in practices which, when taken together:
- fail to provide reasonable, appropriate, and sufficient security to prevent unauthorized access to its customers’ wireless accounts;
- allow unauthorized persons to be authenticated; and
- grant access to sensitive customer account information.
- In particular, T-Mobile failed to establish and implement reasonable policies, procedures and safeguards governing the creation, access, and authentication of user credentials to access customers’ accounts, creating an unreasonable risk of unauthorized access.
- As such, in violation of the FCA, T-Mobile has failed to ensure that only authorized persons have access to customer account data and that customers’ CPI and CPNI are secure.
- Among other things, T-Mobile:
- failed to establish and enforce rules and procedures sufficient to ensure only authorized persons have access to T-Mobile customer accounts, including that of Claimant;
- failed to establish appropriate rules, policies and procedures for the supervision and control of its officers, agents and employees;
- failed to establish and enforce rules and procedures, or provide adequate supervision and/or training sufficient to ensure that its employees and agents follow such rules and procedures to restrict access by unauthorized persons;
- failed to establish and enforce rules and procedures to ensure T-Mobile’s employees and agents adhere to the security instructions of customers with regard to accessing customers’ accounts, including that of Claimant;
- failed to adequately safeguard and protect its customers’ wireless accounts;
- permitted the sharing of and access to user credentials among T-Mobile’s agents or employees without a pending request from the customer, reducing the likely detection of and accountability for unauthorized access;
- failed to appropriately supervise employees and agents, who granted unauthorized access to customers’ accounts, including that of Claimant;
- failed to adequately train and supervise its employees, officers, and agents to prevent the unauthorized access to customer accounts;
- failed to prevent the ability of employees, officers, and agents to access and make changes to customer accounts without specific customer authorization;
- allowed “porting out” of cell phone numbers without properly confirming that the request was coming from legitimate customers;
- lacked proper monitoring and, therefore, failed to monitor its systems for the presence of unauthorized access in a manner that would allow T-Mobile to detect intrusions, breaches of security, and unauthorized access to customer information;
- failed to implement and maintain readily available best practices to safeguard customer information (and indeed, seemed to suggest such practices were only available to those customers who “paid for” the privilege of having their information secured);
- failed to diagnose and determine timely the cause of Claimant’s service interruption;
- failed to notify Claimant timely of the cause of Claimant’s service interruption; and
- failed to implement and maintain internal controls to help protect against account takeovers and SIM-swaps by unauthorized persons.
- The inadequate security measures, policies and safeguards employed by T-Mobile created a foreseeable and unreasonable risk of unauthorized access to the accounts of its customers, including that of Claimant.
- Upon information and belief, T-Mobile has been long aware of its inadequate security measures, policies, and safeguards, and nevertheless, induced customers into believing that its systems were secure and compliant with applicable law.
- T-Mobile, despite knowing the risks associated with unauthorized access to customer accounts, failed to utilize reasonable and available methods to prevent or limit such unauthorized access.
- T-Mobile failed in its duty to protect and safeguard customer information and data pursuant to federal law.
- Had T-Mobile implemented appropriate and reasonable security measures, Claimant would not have been damaged.
- In sum, Respondent’s security measures were entirely inadequate to prevent the foreseeable damage caused to Claimant.
SECOND CAUSE OF ACTION: NEGLIGENCE
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- T-Mobile owes a duty of care to its customers to ensure the privacy and confidentiality of CPI and CPNI during its provision of wireless carrier services, as required by both federal and state law.
- By allowing unauthorized access to the personal and confidential information of legitimate T-Mobile customers, T-Mobile breached its duty of care to its customers and to foreseeable victims, including Claimant.
- By failing to diagnose timely and properly the cause of Claimant’s service interruption, T-Mobile breached its duty of care to its customers and to foreseeable victims, including Claimant.
- But for the inadequate security protocols, practices, and procedures employed by T-Mobile in protecting customer data, including Claimant’s private and confidential information, Claimant would not have suffered any damage.
- But for the inadequate protocols, practices, and procedures employed by T-Mobile in diagnosing the causes of customers’ service interruptions, Claimant would not have suffered any damages.
- But for those intentional actions and/or inaction of Respondent and its agents, Claimant would not have suffered damages.
- But for T-Mobile’s inability to diagnose quickly and effectively and/or determine that Claimant’s account was compromised by a SIM-swap – a fact that T-Mobile should have known – Claimant would not have suffered damages.
- Claimant has been damaged through the loss of his property, namely 4.13834669 Bitcoin, with a current estimated value in excess of $275,365.91.
THIRD CAUSE OF ACTION: GROSS NEGLIGENCE
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- T-Mobile, as required by federal and state law, owed Claimant a duty to handle and safeguard properly Claimant’s CPI and CPNI and access to his account.
- T-Mobile was required to ensure its compliance with federal law and to protect the confidentiality of its customers’ account data, including that of Claimant.
- Upon information and belief, T-Mobile willfully disregarded and/or showed reckless indifference to its duties under federal and state law to T-Mobile customers and to foreseeable victims of T-Mobile’s wrongful acts.
- Having superior knowledge of prior account takeover attacks on T-Mobile customers’ data and having the ability to employ internal systems, procedures, and safeguards to prevent such attacks, T-Mobile nevertheless failed:
- to institute appropriate controls to prevent unauthorized access to customers’ accounts;
- to utilize authentication systems it knew or should have known were vulnerable to account takeover attacks;
- to implement systems to thwart such attacks, willfully disregarding the best practices of the industry in failing; and
- to appropriately hire, retain, supervise, train, and control those officers, agents, and employees who could grant or obtain unauthorized access to customer account data.
- T-Mobile’s policies, procedures and safeguards were completely ineffective and inadequate to prevent the unauthorized access to its customers’ data, notwithstanding the requirements of the CFA, thus meeting the definition of gross negligence and warranting punitive damages for violating [●].
FOURTH CAUSE OF ACTION: NEGLIGENT HIRING, RETENTION AND SUPERVISION
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- At all material times herein, T-Mobile’s agents, officers, and employees, including, but not limited to, those directly or indirectly responsible for or involved in allowing unauthorized access to Claimant’s confidential and proprietary account information, were under T-Mobile’s direct supervision and control.
- Upon information and belief, T-Mobile negligently hired, retained, controlled, trained, and supervised the officers, agents, and employees under its control, or knew or should have known that such officers, agents, and employees could allow unauthorized access to customer accounts, including that of Claimant.
- Upon information and belief, T-Mobile failed negligently to implement systems and procedures necessary to prevent its officers, agents, and employees from allowing or obtaining unauthorized access to customer accounts, including that of Claimant.
- Upon information and belief, T-Mobile’s negligent hiring, retention, control, training, and supervision allowed the unauthorized access to customers’ accounts resulting in damage to T-Mobile customers and foreseeable victims in the public at large, including Claimant.
- Given T-Mobile’s experience with account takeover and SIM-swap attacks (including some perpetrated and/or assisted by Respondent’s own employees, officers, or agents), T-Mobile’s failure to exercise reasonable care in screening, supervising, and controlling its officers, agents, and employees was a breach of its duty to its customers, including Claimant.
- T-Mobile’s duty to its customers and foreseeable victims to protect its customers’ data from unauthorized access is required by federal and state law.
- It was entirely foreseeable to T-Mobile that unauthorized persons would attempt to gain unauthorized access to T-Mobile customers’ data and, despite this, T-Mobile failed to implement sufficient safeguards and procedures to prevent its officers, agents, and employees from granting or obtaining such unauthorized access.
- Upon information and belief, T-Mobile engaged in the acts alleged herein and/or condoned, permitted, authorized, and/or ratified the conduct of its officers, agents, and employees.
- As a direct consequence of T-Mobile’s negligent hiring, retention, control and supervision of its officers, agents, and employees, who enabled or obtained the unauthorized access to Claimant’s account, Claimant was damaged through the loss of his property, namely 4.13834669 Bitcoin, with a current estimated value in excess of $275,365.91.
FIFTH CAUSE OF ACTION: VIOLATIONS OF THE COMPUTER FRAUD AND ABUSE ACT
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- The CFAA governs those who intentionally access computers without authorization or who intentionally exceed authorized access, and as a result of such conduct cause damage and loss.
- As alleged herein, a SIM-swap attack requires the intentional access to customer computer data by T-Mobile which exceeds its authority, and which causes damage and loss. As such, T-Mobile is subject to the provisions of the CFAA.
- T-Mobile’s conduct, as alleged herein, constitutes a knowing violation of the CFAA.
- T-Mobile is also liable for the acts, omissions, and/or failures, as alleged herein, of any of its officers, employees, agents, or any other person acting for on behalf of T-Mobile.
- T-Mobile violated its duty under the CFAA by exceeding its authority to access the computer data and breach the confidentiality of the proprietary information of Claimant using, disclosing, or permitting access to Claimant’s CPNI without the consent, notice, and/or legal authorization of Claimant as required by the CFAA.
- Section 1030(g) of the CFAA provides, in pertinent part:
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brough under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage….
- Claimant alleges he has suffered damages which exceed the threshold of $5,000.00 as required by Section 1030(c)(4)(A)(i)(I) of the CFAA.
- Claimant alleges T-Mobile’s unlawful conduct has caused damage which exceeds approximately $275,365.91.
- Claimant has brought this claim within two (2) years of the date of discovery of the damage pursuant to Section 1030(g) of the CFAA.
- Claimant discovered damage on or about July 2021.
- Upon information and belief, T-Mobile’s conduct as alleged herein constitutes a violation of Section (a)(5)(A) of the CFAA.
- Upon information and belief, T-Mobile’s conduct as alleged herein may constitute a reckless violation of Section (a)(5)(B) of the CFAA.
- Upon information and belief, T-Mobile’s conduct as alleged herein may constitute an intentional violation of Section (a)(5)(C) of the CFAA.
- As a direct consequence of T-Mobile’s violations of the CFAA, Claimant has been damaged in an amount to be proven at trial but, upon information and belief, exceeds $275,365.91 plus fees and costs, including reasonable attorneys’ fees.
PRAYER FOR RELIEF
WHEREFORE Claimant demands a judgment against T-Mobile as follows:
- Enter judgment for Claimant on all counts
- Award compensatory damages to Claimant arising from T-Mobile’s negligence;
- Award statutory damages to Claimant for T-Mobile’s FCA violations;
- Award punitive damages to Claimant for T-Mobiles gross negligence and the conscious and reckless disregard of its customer’s data;
- Award statutory damages to Claimant for T-Mobile’s CFAA violations;
- Award Claimant costs and reasonable attorneys’ fees;
- Award Claimant prejudgment interest; and
- Award Claimant such other and further relief as this Court deems just, fair, and proper.
Refernces
[1] See https://www.washingtonpost.com/technology/2021/08/19/t-mobile-data-breach-what-to-do/.
[2] See https://ca.movies.yahoo.com/t-mobile-sim-swapping-data-breach-190612616.html.
[3] See https://www.law360.com/articles/1429370/t-mobile-called-to-court-for-sim-swap-schemes .
[4] See https://www.coindesk.com/markets/2020/07/23/veritaseum-accuses-t-mobile-of-gross-negligence-over-86m-sim-swap-hack/.
[5] See https://nypost.com/2020/08/08/cryptocurrency-fraud-reginald-middleton-sues-t-mobile-for-phone-hack/.
[6] See https://www.wired.com/story/t-mobile-breach-much-worse-than-it-had-to-be/.
[7] See https://www.fox2detroit.com/news/tech-security-expert-warns-about-sim-card-scam-on-t-mobile-customers; https://www.click2houston.com/news/investigates/2021/11/16/kprc-2-investigates-phone-number-swap-scam-warning/.
[8] See https://www.vice.com/en/article/3azv4y/verizon-sim-swapping-hack-protection-number-lock.
[9] See BSA/AML Policies for Cryptocurrency Exchanges in a Nutshell
We stay up to date and track cases involving phishing attacks and sim swap affecting major cryptocurrency exchanges and mobile operators:
One of the largest cellphone carriers in the United States is facing yet another lawsuit by a digital currency investor over SIM swap fraud. T-Mobile failed in its duty to protect its users and resulted in the plaintiff’s loss of $55,000 worth of BTC, according to the lawsuit filed in Pennsylvania.
I am victim of a SIM Swap scam. Both T-Mobil and Coinbase.com where negligent and failed to protect me. I have all the evidence to prove my case.
An 84-year-old grandmother living in West Palm Beach started investing in cryptocurrency to help save up for her family’s future. Then, nearly all of the money she put into cryptocurrency vanished after she claims a hacker got into her accounts and drained it of about $800,000.
- Coinbase Reportedly Stealing Customer Funds, According to Complaint Documents Filed to SEC | CryptoGlobe |
Coinbase users have filed 134 pages of complaints to the SEC alleging that their funds have been “stolen” by the exchange
- T-Mobile Sued Again Over SIM Swap Crypto Losses | Law Street |
Yesterday, Kevin Frye filed a complaint in the Southern District of Florida against T-Mobile USA, Inc. for allegedly conducting a “SIM-Swap” without his consent, resulting in the loss of tens of thousands of dollars worth of cryptocurrency. The plaintiff claimed that “T-Mobile Representatives were either complicit with the theft or grossly negligent” since they have been on “notice for years that their security measures were not adequate.”
- SIM swapping victim alleges T-Mobile failed to stop $20,000 cryptocurrency scam | Cyberscoop | June 4, 2021
A Pennsylvania woman who lost the equivalent of $20,000 in cryptocurrency as part of a mobile fraud scheme says T-Mobile failed to protect her account in the face of a wave of similar incidents.
Nine months before scammers stole $20,000 from Kesler’s Coinbase account, the suit argues, Jack Dorsey was the victim of another high profile SIM swap, in which outsiders seized control of the Twitter CEO’s information. Security journalist Brian Krebs also covered the issue in 2018, specifically reporting that a T-Mobile retail store employee was under investigation for making an unauthorized SIM swa
- Man takes on Gemini and CIT in lawsuit after his $263,799.28 was allegedly stolen to purchase crypto
A man is suing Gemini, claiming it was negligent not to notice significant sums of money moved from his money market account to buy cryptocurrency on the exchange over seven days. While the trader was out of reach in the Australian outback, someone allegedly stole money from his CIT account and wired it to Gemini to purchase crypto. Later, he noticed fraudulent activity on his accounts with other banks, and is suing CIT in addition to Gemini, claiming it violated the Electronic Funds Transfer A
Hackers stole $21 million in Bitcoin and $15 million in Ethereum from retirement accounts held with IRA Financial Trust on February 8, according to a report from Bloomberg based on an anonymous source.
Interviews and thousands of complaints have revealed a pattern of account hacks where users have reported money vanishing from their accounts, reports CNBC. Once criminals gain access to an account, funds can be drained within minutes.
- Lost $350,000 in a hack, now Coinbase wants me to pay them $10,000 | Reddit User | March 15, 2022 – 5 months Ago
My account that my mom and I use together got hacked in June of this year. We lost $350,000.The hacker not only transferred out all of the crypto we owned, they used the bank accounts that were linked to purchase more. When we found out about the hack, we called our banks to stop the transfer of money. We also immediately contacted Coinbase to report the hack. However, Coinbase still let the purchase go through while the bank transactions were pending. Now, Coinbass is claiming that because we stopped our banks from transferring the money, we owe them $10,000 to reimburse them for the purchase.
California-headquartered crypto trading platform Coinbase—has been named in at least 115 complaints sent to the U.S. Securities and Exchange Commission and the California Department of Business Oversight
“I believe Coinbase has engaged in fraud by knowingly marketing a service it knows it cannot actually provide,” the filing from November last year read, adding: “Coinbase knows it does not have the infrastructure to timely and adequately meet customer needs.” At the time, bitcoin and other virtual currencies were rocketing in value, leading to an unprecedented interest from eager new investors.
It took only two minutes for the attacker to clean Sean Everett out of what was then a few thousand dollars’ worth of digital coins from his Coinbase wallet
- Coinbase once lost $250,000 of Bitcoin in phishing attack | Decrypt | May 22, 2020
Author Jeff Roberts said $250,000 was stolen from Coinbase in 2013/2014. Roberts claims Coinbase’s hot wallet was hacked just a year after the company’s inception in 2012, and that the hacker made away with $250,000 worth of Bitcoin
Olympia and Steve Kallman of Parma said they are dealing with some sleepless nights after police reported they had more than $22,000 taken by con artists from their Coinbase cryptocurrency virtual wallet back on Aug. 16.
- T-MOBILE SUED AFTER CLIENT LOST $8.7 MILLION IN CRYPTOCURRENCY HACK | Levin Law, August 12, 2021
T-Mobile is facing a multi-million dollar lawsuit after hackers were able to gain unauthorized access to a client’s account. Using information provided by the cellular company, hackers successfully bypassed their two-factor authentication security measures enabling them to obtain a SIM card with the client’s personal and financial information. $8.7 million in cryptocurrency was ultimately transferred out of the customer’s account.
- T-Mobile Customer Sues T-Mobile After Losing $8.7 Million of Cryptocurrency Stolen in SIM Swap Scam | Dimond Kaplan & Rothstein, P.A.
T-Mobile has been hit with a multi-million-dollar lawsuit after Reginald Middleton lost millions of dollars when hackers gained unauthorized access to his account. The hackers used information supplied by T-Mobile to successfully circumvent the two-factor authentication measure, which allowed them to obtain a SIM card containing all of Middleton’s financial and personal information. Ultimately, $8.7 million in cryptocurrency was transferred out of Middleton’s account.
- Another Bitcoin Investor Sues T-Mobile Over SIM Swap Attack | Nasdaq | July 15, 2021
Richard Harris, the customer and plaintiff, is alleging T-Mobile’s misconduct including its failure to adequately protect customer information, hire appropriate support staff and its violation of federal and state laws led to his loss of 1.63 bitcoin.
Last night while I was sleeping my account was logged into (web) from Russia…
The Vidovics lost nearly $170,000 in the blink of an eye when someone hacked their Coinbase account.
John said his accounts with Coinbase and Coinbase Pro were emptied as he watched his phone screen.
- Coinbase User Accounts Emptied After Hackers Gained Access to Their Crypto Wallets | Couple Discovered $168K Crypto Stolen | Tech Times | August 25, 2021
….an increasing number of users of the currently highly popular cryptocurrency exchange called Coinbase have suddenly found their accounts on the platform empty. This is after hackers have managed to gain access to them and thoroughly drain their cryptocurrency wallets.
- Sim-swappers hack League of Legends star out of $200K worth of cryptocurrency from Coinbase account | TheNextWeb | September 18, 2018
League of Legends superstar has had $200,000 in cryptocurrency stolen from them – directly from their Coinbase account
…an unauthorized user had changed Ms. Maguian’a passwords for trading platforms… Coinbase and initiated transactions that emptied her accounts of crypto valued at around $80,000 at the time
- U.S. Court Rules Money Laundering-Related Case Against Coinbase Must Have Public Trial | Cointelegraph | April 24, 2018
The Eleventh Circuit Court of Appeals ruled today that the class action against Coinbase…will be held in open court. The case in question alleges that Coinbase assisted in laundering around $8.2 mln of stolen Bitcoin (BTC) – valued at over $100 mln today.
- Coinbase Cryptocurrency accounts wiped out ‘in an instant by cyber crooks | ABC Action News |
The Vidovics lost nearly $170,000 in the blink of an eye when someone hacked their Coinbase account.
Dr. Anders Apgar, a Coinbase customer, said his account had a balance of more than $100,000 in crypto when it was hacked during a robocall.
- Coinbase Account Hacked $14,000 USD stolen | Reddit User |
I had $14,000+ USD in my coinbase pro account. The account was hacked at the money was switched over to crypto and sent to multiple people this occured several hours ago (05/14/2021). Case # 06082303
- Cybercriminals cleanout cryptocurrency using sim card swap scam | ABC Action News
Tampa resident David Bryant knew something was wrong last October when he found Coinbase notifications deleted from his account and his login no longer worked. “I lost about $15,000 dollars worth of crypto,” David said.
A Texas man is suing Coinbase, the cryptocurrency trading platform. The man alleges his Coinbase account was breached to make a $50,000 unauthorized transaction. He says at least 1,000 other Coinbase accounts have also been breached.
- Nearly 75% of Stolen Ransomware Crypto Went to Russia in 2021, New Report Finds | February 15, 2022
A new report finds that Russia was linked to the majority of crypto ransomware invasions, siphoning the equivalent of $400 million in stolen funds to illicit addresses in that country. It appears Russia has strong ties to the majority of crypto hacks and cybercrimes, especially when you consider that 74% of ransomware revenue in 2021 — over $400 million worth of cyptocurrency — went to accounts affiliated with the country in some way, according to a new report from cryptocurrency tracking and analytics firm, Chainalysis.
- Close to $12,000 STOLEN OUT OUT MY COINBASE… I WANT ANSWERS!!! Reddit User | 11 Months Ago
Case #05530638, #05542432. This all happened 4/15/21-4/16/21. How can I talk with someone from coinbase? I am so frustrated that someone stole my Bitcoin, ETH, and transferred $500 from my bank account and stole that too from my coinbase… Total almost $12,000. I am trying to understand what is going on and now I am completely blocked out of coinbase. I want answers!
An increasing number of users of the highly popular cryptocurrency exchange Coinbase have found their accounts on the platform empty after hackers managed to gain access to them and drain their cryptocurrency wallets.
Raza says Coinbase, the cryptocurrency exchange where he was robbed, has not been able to provide a solution and he thinks they need to step up security protocols.
In four minutes, cyber looters pilfered $34,123 worth of virtual currency from a Virginia resident’s Coinbase (COIN) account, the 38-year-old told Yahoo Finance.
- Coinbase hacked in the middle of the night $60k stolen. What should I do? Reddit | January, 2021
I received several txts last night sending me a 2fa code. I woke up and my bitcoin was transferred at 230am to some address. Any idea what happened? Was it my cell phone provider? Seems fishy to me since I could not detect any threats my phone. No idea how the culprit read my txt messages but oh well.
- All of My Crypto Was Stolen! On Coinbase | Reddit User | 8 Months Ago
I am an active user of CoinBase and somehow my account was breached even with 2FA enabled. The hackers stole all of the coins in my account by converting them to BTC and sending them to their wallet. They then deposited $1k USD and purchased BTC using my debit card and stole it before I could lock my account down.
- CoinBase Account Hacked – $23k Stolen and NO HELP from CoinBase | Reddit User | March 15 – 7 months
Taking my case to reddit. My account was hacked approximately 3 weeks ago and .50 BTC (approximately $23k USD) was stolen from my account. In summary, I decided to log into my account one day to check in on the balance. A hacker had locked my account out.
…hackers managed to get into the accounts and move funds off the platform, draining some accounts dry. Thousands of customers had already begun to complain to Coinbase that funds had vanished from their accounts…Coinbase did not disclose how much cryptocurrency was stolen in the attack.
- Coinbase slammed for what users say is terrible customer service after hackers drain their accounts | CNBC | August 24, 2021
CNBC interviewed Coinbase users across the country. The interviews and complaints revealed a pattern of account takeovers, where users see money suddenly vanish from their account, followed by poor customer service from the company. Since 2016, Coinbase users have filed more than 11,000 complaints against Coinbase with the Federal Trade Commission and Consumer Financial Protection Bureau, mostly related to customer service.
- Coinbase customers up in arms after hackers drain crypto wallets | August 26, 2021
An increasing number of users of the highly popular cryptocurrency exchange Coinbase have found their accounts on the platform empty after hackers managed to gain access to them and drain their cryptocurrency wallets.
Loads of scams out there. Remember Coinbase does not support chat. You will never speak with a Coinbase employee.
I have been trying to contact Coinbase support since Thursday when I saw $25k BTC sold from my wallet without my consent and could not receive any assistance at all from Coinbase to protect my investment.
- A string of thefts hit Bitcoin’s most reputable wallet service | The Verge | February 7, 2014
It was 10.6 bitcoins held in the wallet service Coinbase, the most well-funded and widely implemented service on the market.
- Coinbase is mistakenly draining customers’ bank accounts, and people are freaked | Mashable | February 15, 2018
All your money is gone. Whoops! Sorry for your loss. Some Coinbase account holders are losing their shit today as they look to their bank statements to find that the exchange has withdrawn excessive amounts of money from their accounts.
California-headquartered crypto trading platform Coinbase—has been named in at least 115 complaints sent to the U.S. Securities and Exchange Commission and the California Department of Business Oversight
“I believe Coinbase has engaged in fraud by knowingly marketing a service it knows it cannot actually provide,” the filing from November last year read, adding: “Coinbase knows it does not have the infrastructure to timely and adequately meet customer needs.” At the time, bitcoin and other virtual currencies were rocketing in value, leading to an unprecedented interest from eager new investors
- T-Mobile Sued Again Over SIM Swap Crypto Losses | Law Street |
Yesterday, Kevin Frye filed a complaint in the Southern District of Florida against T-Mobile USA, Inc. for allegedly conducting a “SIM-Swap” without his consent, resulting in the loss of tens of thousands of dollars worth of cryptocurrency. The plaintiff claimed that “T-Mobile Representatives were either complicit with the theft or grossly negligent” since they have been on “notice for years that their security measures were not adequate.”
- SIM swapping victim alleges T-Mobile failed to stop $20,000 cryptocurrency scam | Cyberscoop | June 4, 2021
A Pennsylvania woman who lost the equivalent of $20,000 in cryptocurrency as part of a mobile fraud scheme says T-Mobile failed to protect her account in the face of a wave of similar incidents.
Nine months before scammers stole $20,000 from Kesler’s Coinbase account, the suit argues, Jack Dorsey was the victim of another high profile SIM swap, in which outsiders seized control of the Twitter CEO’s information. Security journalist Brian Krebs also covered the issue in 2018, specifically reporting that a T-Mobile retail store employee was under investigation for making an unauthorized SIM swap.
- Hackers Circle as Individual Investors Pour Cash Into Crypto | The Wall Street Journal | November 21, 2021
Mr. Harris sued T-Mobile in July, alleging the company’s practices didn’t meet federal standards and allowed a hacker to take over his phone number in 2020 and steal bitcoin worth nearly $15,000 at the time, and more now.
T-Mobile declined to comment on the suit but motioned to move the case to arbitration. Like Verizon and AT&T, the company requires arbitration to resolve disputes in its terms of service, often leading to closed-door settlements.
- Massive data breach at T-Mobile lands giant class action in KC federal court | Kansas City Business Journal | January 5, 2022
Hackers stole the personal identification data for millions of past, present and prospective T-Mobile customers, leading to a huge class-action lawsuit.
- Hacker lifts $1 million in cryptocurrency using San Francisco man’s phone number, prosecutors say | CNBC | November 21, 2018
Losing cellphone service is inconvenient. But in some cases, it also might mean you’re getting hacked.
“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.
- T-Mobile data breach and SIM-swap scam: How to protect your identity | Cnet | August 22, 2021
Just when you think the massive T-Mobile hack can’t get any worse, on Friday the carrier announced that over 50 million people, including current and former customers as well as prepaid customers, were affected by the breach. Information like Social Security numbers, driver’s licenses and account PINs were exposed.
- Another Bitcoin Investor Sues T-Mobile Over SIM Swap Attack | Coindesk | July 15, 2021
Cellphone carrier T-Mobile is being sued over allegations it failed to safeguard against a SIM swap scam that cost one customer $55,000 in lost.
- T-Mobile Sued Over $8.7M Stolen in SIM-Swap Attacks | Cointelegraph | July 23, 2020
The CEO of a crypto firm that recently settled with the SEC over its 2017 ICO is suing T-Mobile over a series of SIM-swaps that resulted in the loss of $8.7 million worth of crypto.
The suit accuses T-Mobile of having “abjectly failed” in its responsibility to protect the personal and financial information of its customers.
- Crypto Theft Victim Sues T-Mobile for Allowing SIM-Swap Attack | Finance Magnates | February 12, 2021
A victim of a crypto theft using SIM-swap attack has filed a lawsuit against T-Mobile, alleging the failure and negligence on the part of the US cell phone carrier in preventing these scams.
“This action arises out of T-Mobile’s systemic and repeated failures to protect and safeguard its customers’ highly sensitive personal and financial information against common, widely reported, and foreseeable attempts to illegally obtain such information,” the lawsuit alleged.
- T-Mobile being sued by victim of SIM swapping attack | Tmo News | February 11, 2021
T-Mobile is currently facing a complaint against one of the victims of SIM swapping, a type of fraud.
Cheng believed that the attack would not have happened if not for “T-Mobile‘s negligent practices and its repeated failure to adhere to federal and state law.”
- T-Mobile Is Facing Another SIM Swapping Complaint | Android Headlines |
T-Mobile is facing yet another SIM swapping complaint involving cryptocurrency theft. Last week, a Philadelphia man named Richard Harris filed a complaint in the Eastern District of Pennsylvania against the wireless giant alleging he lost approximately $55,000 worth of Bitcoin due to the company’s failure to safeguard his account
The sim was successfully swapped which means that either it was done without the pin or the person knew the pin. Again, this is only possible if it was a T-Mobile employee and most likely one of the employees that help a month prior during the line add and upgrade.
When it comes to security or whatever it is leave T-Mobile. It is insider job someone is doing sim swaps.
- Why you can’t ignore the hackers and data breaches, like one at T-Mobile | Detroit Free Press |
T-Mobile confirmed this week that it was hit by a “highly sophisticated cyberattack” that exposed names, dates of birth, Social Security numbers and driver’s license information for more than 40 million consumers who had applied for credit with T-Mobile.
After a crazy week where T-Mobile handed over my phone number to a hacker twice, I now have my T-Mobile, Google, and Twitter accounts back under my control. However, the weak link in this situation remains and I’m wary of what could happen in the future.
- T-Mobile discloses data breach after SIM swapping attacks | Bleeping Computer |
American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks. SIM swap fraud (or SIM hijacking) allows scammers to take control of targets’ phone numbers after porting them using social engineering or after bribing mobile operator employees to a SIM controlled by the fraudsters.
- Fraudulent Sale of My SIM card | T-Community | 2019
Yesterday, someone went into a T-Mobile retail store used a fake California Drivers License to buy a copy of my SIM card.
And now for the crazy chain of events, where T-mobile allowed a complete stranger to do a SIM swap on me, and Coinbase allowed a complete stranger to change my Coinbase identity with no questions asked.
Silver Miller said that “with little more than a persuasive plea for assistance, a willing telecommunications carrier representative, and an electronic impersonation of the victim,” criminals can manage to steal millions of dollars targeting unsuspecting victims.
Hackers swapped my T-Mobile SIM card without my approval and methodically shut down access to most of my accounts and began reaching out to my Facebook friends asking to borrow crypto.
Coinbase has admitted that hackers stole crypto from thousands of its users’ accounts over a three-month period.
Bad actors were able to infiltrate the accounts of and steal cryptocurrency from around 6,000 Coinbase customers by exploiting a multi-factor authentication flaw.
Matthew doesn’t know how the hackers were able to access his Coinbase account, but he remembered that when he signed up with Coinbase, they advertised they had insurance.