AT&T Sim Swap Incident Resulted in $150K Theft from Victim’s Coinbase Account
SAMPLE COMPLAINT AGAINST AT&T MOBILITY LLC
The information provided here does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Readers of this post should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information of this sample arbitration complaint without first seeking legal advice from counsel in the relevant jurisdiction.
Claimant, by and through his attorneys, brings this against Respondent AT&T MOBILITY LLC. (“Respondent”, “AT&T”) pursuant to the Federal Communications Act, a common law theory of gross negligence, a common law theory of negligent hiring, retention, and supervision, and the Computer Fraud and Abuse Act.
INTRODUCTION
- This action arises out of Respondent’s systemic and repeated failures to protect and safeguard its customers’ highly sensitive personal and financial information against common, widely reported, and foreseeable attempts to illegally obtain such information.
- In particular, AT&T solemnly promises its customers to safeguard their private information – and especially their data-rich SIM cards – from any unauthorized disclosure.
- Besides the numerous promises that AT&T makes in its own Privacy Policy and Code of Business Conduct, federal and state laws impose a strict duty on AT&T, the nation’s largest cellular telephone carrier, to take all necessary steps to preserve the privacy of its more than 100 million customers. However, it seems that AT&T fully ignores such duties.
- Also it should be noted that AT&T employees’ were found culpable for stealing personal information for over 200,000 customers and selling it to criminals to unlock mobile phones. This massive security failure prompted the Federal Communications Commission in 2015 to levy a record fine of $25 million and secure a consent decree requiring AT&T to implement detailed measures to enhance its customers’ protection against unauthorized disclosures of their private information.
- More recently, AT&T employees are participating in a new species of fraud – SIM-swap fraud – which is allowing hackers readily to bypass AT&T security to rob AT&T customers of valuable personal information and millions of dollars’ worth of cryptocurrency.
- As a result of Respondent’s misconduct as alleged herein, including their gross negligence in failing to protect customer information, its negligent hiring and supervision of customer support personnel, and its violations of federal and state laws designed to protect wireless service consumers, Claimant lost digital assets, with a current estimated value in excess of approximately of $ 150,000.00 resulting from an account takeover scheme (also known as a “SIM-swap”) which could not have occurred but for Respondent’s intentional actions and negligent practices, along with their repeated failure to adhere to federal and state laws.
PARTIES
- Claimant is a resident of California.
- Respondent is a Delaware limited liability company with its principal office or place of business in the State of Georgia. AT&T Mobility LLC transacts or has transacted business in this district and throughout the United States.
FACTUAL BACKGROUND
RELEVANT TO ALL CAUSES OF ACTION
- AT&T is one of the world’s leading providers of communications services. AT&T offers what it claims to be the nation’s most reliable 5G service, reaching more than 255 million people and more than 16,000 cities and towns in the U.S., AT&T Fiber is rated no. 1 in customer satisfaction. See https://about.att.com/pages/corporate-profile.
- AT&T spent over $100 million on advertising in digital, print, and national TV in the last year. AT&T invests in premium ad units and advertised on over 250 different Media Properties in the last year across multiple Media formats. AT&T launched and advertised 6 new products in the past twelve months See https://advertisers.mediaradar.com/att-advertising-profile.
- It is recognized and has been widely publicized that mishandling of customer wireless accounts, including, but not limited to, allowing unauthorized access, can facilitate identity theft and related consumer harm.
- Upon information and belief, AT&T is directly liable for the harm suffered by Claimant because it has long known that its customers are subject to SIM swap fraud (also called SIM swapping, SIM hijacking) perpetrated by hackers often with the active cooperation of its own employees.
- Claimant alleges on information and belief that AT&T knew well before the incident that it was subject to widespread SIM swap fraud.
- Claimant alleges further that AT&T knew that cryptocurrency investors were specifically targeted by SIM swapping and that AT&T was the weak link in such fraud.
- Claimant also alleges on information and belief that AT&T knew or should have known that its employees frequently cooperated with hackers and thieves to bypass its security procedures. This is confirmed in numerous articles on SIM swap fraud as mentioned below.
- In particular, many major media outlets have written about telecommunication carrier’s SIM swap hacks, including AT&T. These publications include, but are not limited to: Vice[1], FOX11[2], Medium[3], The Washington Post[4], The Wall Street Journal[5], Yahoo![6], Law 360[7], CoinDesk[8], The New York Post[9], Wired[10], Law Street[11], Ars Technica[12], KrebsonSecurity[13], Bitcoinist.com[14] as well as various local media affiliates of major news outlets[15].
- In 2020 researchers at Princeton University evaluated the SIM authentication procedures at five prepaid U.S. wireless carriers, including AT&T, and found that they all used insecure authentication challenges that could easily be subverted by attackers: “Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers”[16]. Further, Vice wrote an article stating that a spokesperson for AT&T said that the company has “security measures in place, and continue to add more, to help prevent fraud including SIM swaps and porting.”[17].
- In addition, The Federal Bureau of Investigation issued an announcement “Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from US Public” to inform mobile carriers and the public of the increasing use of Subscriber Identity Module (SIM) swapping by criminals to steal money from fiat and virtual currency accounts. According to the announcement from January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million[18].
- As one of the wireless carriers, AT&T’s operations must comply with various federal and state statutes, including (but not limited to) the Federal Communications Act (“FCA”) 47 U.S.C. §222.
- AT&T failed in its obligations under the Act as the FCA obligates AT&T to protect the “confidentiality of proprietary information of [its] customers” and “customer proprietary network information” (commonly referred to as “CPI” and “CPNI”, respectively). See 47 U.S.C. §222(a), (c).
- The Federal Communications Commission (“FCC”) has promulgated rules to implement Section 222 of the FCA “to ensure that telecommunications carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI.” In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007); see also 47 C.F.R. §64.2001 et seq. (“CPNI Rules”).
- The CPNI Rules limit disclosure and use of CPNI without customer approval to certain limited circumstances (such as cooperation with law enforcement), none of which are applicable to the facts here. See 47 C.F.R. §64.2005.
- The CPNI Rules also require carriers to implement safeguards to protect customers’ CPNI. See 47 C.F.R. §64.2009(b), (d), and (e). These safeguards include: (a) training personnel “as to when they are and are not authorized to use CPNI”; (b) establishing “a supervisory review process regarding carrier compliance with the rules”; and (c) filing annual compliance certificates with the FCC. Id.
- The CPNI Rules further require carriers to implement measures to prevent the disclosure of CPNI to unauthorized individuals. For example, “carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” 47 C.F.R. §64.2010(a). In particular, “carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an in-store visit.” In the case of in-store access to CPNI, “[a] telecommunications carrier may disclose CPNI to a customer who, at a carrier’s retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer’s account information.” 47 CFR § 64.2010(d). “Valid photo ID” is defined in 47 CFR § 64.2003(r) as “a government-issued means of personal identification with a photograph such as a driver’s license, passport, or comparable ID that is not expired.”
- Further, on April 8, 2015, the FCC fined AT&T a record $25 million for violating Section 222 of the FCA by allowing its employees to hand over to thieves the CPNI of almost 280,000 customers. In addition to being forced to pay $25 million to the FCC, AT&T entered into a consent decree (“Consent Decree”) requiring it to implement measures to protect CPNI. In the Consent Decree and the FCC’s adopting order (“Adopting Order”), the FCC highlights AT&T’s lax security practices and dismal failure to supervise and monitor employees that led to its unprecedented breach of its customers’ confidential and private information. See In the Matter of AT&T Services, Inc., 30 FCC Rcd. 2808.
- The FCC found that AT&T employees used their login credentials to access the confidential information of almost 280,000 customers. The FCC concluded that AT&T’s data security measures “failed to prevent or timely detect a large and ongoing Data Breach.” Id. at 2813. The FCC also found that AT&T had not properly supervised its employees’ access to its customers’ personal information, including CPNI. The FCC concluded that AT&T’s “failure to reasonably secure customers’ proprietary information violates a carrier’s statutory duty under the Communications Act to protect that information and constitutes an unjust and unreasonable practice in violation of the Act.” Id. at 2808 (Adopting Order § 2). In the Adopting Order, the FCC emphasized the importance of AT&T’s obligation to adhere to the obligations embodied in Section 222 of the FCA. According to the Adopting Order, the purpose of Section 222 is to “ensure that consumers can trust that carriers have taken appropriate steps to ensure that unauthorized persons are not accessing, viewing or misusing their personal information.” Id. Carriers like AT&T are thus required to take “every reasonable precaution to protect their customers’ data” and to notify consumers regarding any breaches in order to “aid in the pursuit and apprehension of bad actors and provide valuable information that helps affected consumers [to] be proactive in protecting themselves in the aftermath of a data breach.” Id.
- As a condition of terminating the FCC’s investigation of AT&T’s violations of Sections 201(b) and 222 of the FCA, the FCC imposed numerous requirements on AT&T to improve its supervision of employees and to adhere to its legal obligation to protect the privacy of AT&T’s customers. Moreover, the Consent Decree imposed obligations not only on AT&T itself, but also on AT&T’s “Covered Employees,” who are defined as “all employees and agents of AT&T who perform or directly supervise, oversee, or manage the performance of duties that involve access to, use, or disclosure of Personal Information or Customer Proprietary Network Information at Call Centers managed and operated by AT&T Mobility.” Id. at 2811. “Call Center” is defined broadly in the Consent Decree as call centers operated by AT&T or its contractors “that provide mobility customer service or wireless sale service for AT&T Mobility consumer customers.” Id. at 2810.
- As noted paragraph 18 of the FCC Consent Decree required AT&T to institute a “Compliance Plan designed to ensure future compliance with the [FCA] and with the terms and conditions of this Consent Decree.” Id. The Compliance Plan had to include a Risk Assessment, Information Security Program, Ongoing Monitoring and Improvement, and a Compliance Review. Id.
- The “Information Security Program” required in Paragraph 18(b) must be “reasonably designed to protect CPNI and Personal Information from unauthorized access, use, or disclosure by Covered Employees . . ..” Id. AT&T’s program must be documented in writing and include:
(i) administrative, technical, and physical safeguards reasonably designed to protect the security and confidentiality of Personal Information and CPNI;
(ii) reasonable measures to protect Personal Information and CPNI maintained by or made available to Vendors, Covered Employees, and Covered Vendor Employees;
(iii) access controls reasonably designed to limit access to Personal Information and CPNI to authorized AT&T employees, agents, and Covered Vendor Employees;
(iv) reasonable processes to assist AT&T in detecting and responding to suspicious or anomalous account activity, including whether by malware or otherwise, involving Covered Employees and Covered Vendor Employees; and
(v) a comprehensive breach response plan that will enable AT&T to fulfill its obligations under applicable laws, with regard to breach notifications, including its obligations under paragraph 20 while that paragraph remains in effect. Id.
- Paragraph 18(c) of the Consent Decree required AT&T to “monitor its Information Security Program on an ongoing basis to ensure that it is operating in a manner reasonably calculated to control the risks identified through the Risk Assessment, to identify and respond to emerging risks or threats, and to comply with the requirements of Section 222 of the [FCA], the CPNI Rules, and this Consent Decree.” Id. at 2817. In addition, Paragraph 18(g) required AT&T to “establish and implement a Compliance Training Program [for employees] on compliance with Section 222, the CPNI Rules, and the Operating Procedures.” Id. All “Covered Employees” are required to be trained within six months of hire and periodically thereafter. Id.
- Further AT&T regularly holds itself out to the general public as a secure and reliable custodian of customer data, including customer’s confidential financial and personal information. In its Privacy Policy (“Privacy Policy”) and Code of Business Conduct (“COBC”), AT&T acknowledges its responsibilities to protect customers’ personal information under the FCA, the CPNI Rules and other regulations. A true and correct copy of the Privacy Policy available at https://about.att.com/privacy/full_privacy_policy.html. All available information regarding the AT&T’ COBC available at https://cobc.att.com/responsibilities.
- In its Privacy Policy AT&T makes binding promises and commitments to its customer that AT&T works hard to safeguard customer’s data using a range of technological and organizational security controls. In its Privacy Policy AT&T promises that it maintains and protects the security of computer storage and network equipment, and uses security procedures that require employees to authenticate themselves to access sensitive data, AT&T also limits access to personal information only to those with jobs requiring such access, AT&T requires callers and online users to authenticate themselves before providing account information.
- AT&T states that it takes steps to ensure that data is processed according to this Policy and to the requirements of applicable law of its customer’s country and of the additional countries where the data is subsequently processed
- AT&T further promises that it uses CPNI internally and share it outside AT&T only when conforming with applicable regulations and orders of the Federal Communications Commission. AT&T represents that it does not share CPNI with anyone outside of the AT&T affiliates or its authorized agents or vendors without its customer’s consent, with the following authorized exceptions: Court orders; as authorized by law; fraud detection; to provide customer’s service and route customer’s calls; for network operations and security; and then only aggregate (grouped) information and information that doesn’t identify customers personally
- AT&T has a duty under federal law to protect the confidentiality of customer’s CPNI. Also AT&T’s CEO John Stankey makes binding promises that “Our commitment at AT&T is to act with honesty, integrity and transparency in everything we do. This is what our customers expect of us and what we demand from each other. AT&T’s Code of Business Conduct serves as our roadmap for doing business the right way, every day and through every interaction.[19]”
- AT&T represents in the COBC that: “As AT&T employees, we are part of a long tradition of employees who have conducted themselves in an ethical manner that reflects positively on the Company. We focus on doing the right thing upholding our shared commitment to complying with laws, regulations, and internal policies. Acting ethically is every employee’s responsibility. This extends beyond our work day. Employees may be held accountable for actions, on or off the job that could impair work performance or affect the company’s reputation or business interests. We are accountable for being familiar with and following this Code and the Company’s policies and guidelines. AT&T investigates possible violations of the law, this Code, Company policies and guidelines, as well as any other behavior that we believe is unethical and/or could harm the Company, its employees, our property, or others. We cooperate fully with the Company’s investigations.”[20]
- Further AT&T ensures that “We earn and preserve our customers’ trust by treating them with honesty and integrity and in a professional, courteous manner. We fairly represent our products and services to them. We listen to our customers and challenge ourselves to find new ways to deliver a unique customer experience. We deliver what we promise. We do not provide goods or services that customers did not authorize. We protect the privacy of our customers’ communications. Not only do our customers demand this, but the law requires it. Maintaining the confidentiality of communications is, and always has been, a crucial part of our business. AT&T possesses sensitive, detailed information about our customers who rely on AT&T to safeguard that information. Laws and regulations tell us how to treat such data. Any inappropriate use of confidential customer information violates our customers’ trust and may also violate a law or regulation. Preserving our customers’ trust by safeguarding their private data is critical.”[21]
- AT&T’s deceptive statements are designed to cover up for the fact that it is aware their security procedures can and do fall short of their expressed and implied representations and promises, as well as their statutory duties.
- Such failures, which lead to unauthorized access of customers’ information, were entirely foreseeable by AT&T, especially given the wide media coverage of such hackings prior to the event in dispute here.
- Also as alleged above, AT&T violated numerous terms and rules by failing to implement adequate security procedures to protect Claimant’s personal information, including CPNI, by failing to supervise and monitor its employees, by failing to ensure that its employees were ethical and competent, by failing to follow its security procedures and by failing to follow its legal obligations to protect Claimant’s personal information under the FAC, CPNI Rules.
- In sum, AT&T flagrantly and repeatedly violated its commitments to Claimant in its Privacy Policy and COBC, as well as its legal obligations under the FCA, the CPNI Rules by turning over to hackers Claimant’s wireless number that allowed hackers to access his personal information. AT&T’s betrayal of its obligations caused Claimant to lose $150,000.00.
A. SIM CARD SWAP
- AT&T is aware that various forms of account takeover fraud have occurred as said frauds have been widely reported in the press, by government regulators (including the Federal Trade Commission (“FTC”) and the FCC), in academic publications, and in multiple lawsuits across the country.
- These illegal schemes involve criminals and fraudsters gaining access to or “hijacking” customer wireless accounts, which often include sensitive personal and financial information, to induce third parties to conduct transactions with individuals they believe to be legitimate or known to them.
- As mentioned above, sometimes these schemes are perpetrated by employees of the wireless carriers, such as AT&T.
- One of the most damaging and pervasive forms of account takeover fraud is known as a “SIM-Swap”, whereby a third-party (with the help of a wireless carrier like AT&T) is allowed to transfer access to a customer’s cellular phone number from the customer’s registered “subscriber identity module” card (or “SIM card”) – to a SIM card controlled by the third party.
- A SIM Card has a complete record of a user’s cell phone history, inclusive of text messages, calls, and any applications which a user has downloaded.
- A SIM swap is when a hacker convinces a carrier to switch a phone number over to a SIM card they own. Once a hacker has access to the phone number, they control the text-based two-factor authentication checks specifically designed to add a layer of protection to sensitive accounts such as bank accounts, social media accounts, and email accounts.
- The wireless carrier, however, must effectuate the SIM card reassignment. Therefore, “SIM-swapping” is not an isolated criminal act, as it requires the wireless carrier’s active involvement to swap the SIM containing information regarding its customer to an unauthorized person’s phone.
- Indeed, unlike a direct hack of data, whereby a company like AT&T plays a more passive role, SIM-swaps are ultimately effectuated by the wireless carrier itself. For instance, in this case, it is AT&T that approved and allowed the SIM card change (without Claimant’s authorization), as well as all of the subsequent telecommunication activity that was used to access Claimant’s online accounts and cause the injuries suffered by Claimant.
- As such, by directly or indirectly exceeding authorized access to customer accounts, wireless carriers such as AT&T are liable under state and federal statutes, such as the Federal Communications Act (“FCA”).
- Once a third-party has access to the legitimate user’s SIM card data, it can then seamlessly impersonate that legitimate user (e.g., in communicating with others or contacting various vendors).
- A common target of SIM-swapping and account takeover fraud are individuals known, or expected, to hold cryptocurrency, because account information is often contained on users’ cellular phones, allowing criminals to transfer the legitimate user’s cryptocurrency to an account controlled by the third-party.
- The prevalence of SIM-swap fraud and AT&T’s knowledge of such fraud, including, but not limited to that performed with the active participation of its own employees, demonstrates that what happened with Claimant’s account was neither an isolated incident nor an unforeseeable event.
- As a regulated wireless carrier, AT&T has a well-established duty to protect the security and privacy of CPI and CPNI from unauthorized access and AT&T is obligated to certify its compliance with this mandate to the FCC every year.
- The FCA expressly restricts carriers like AT&T from unauthorized disclosure of CPNI.
- In light of the above, at the time of the event in the present case, AT&T ensured that it has a duty, under federal law, to protect the confidentiality of client’s CPNI[22], was keenly aware of its obligations, as well as multiple weaknesses in its internal processes and procedures to authenticate legitimate customers.
- The failure of AT&T to have proper safeguards and security measures as recommended by the FCC resulted in damages to Claimant in an amount to be determined at trial.
B. LACK OF SECURITY PROTOCOLS
- AT&T has been on notice for years (for example, FCC investigation of 2015) that their security measures were not adequate. Despite this, sufficient security measures were not in place to prevent this SIM Card swap and the corresponding theft.
- A SIM swapping attack is otherwise known as SIM splitting, SIM jacking, SIM hijacking, and port-out scamming. It’s a scam that happens when fraudsters use the weakness of two-factor authentication and verification which involves the second step of the process: receiving a text message or phone call to your cellphone number.
- Despite this knowledge of inherent security flaws, AT&T and its officers and directors acted with a conscious and reckless disregard for the security of their customers, failing to ratify and implement policies that would protect its customers’ accounts.
- A valid driver’s license and a valid pin/security code should have been required in order to port a number to a new phone.
- Security measures should have been in place which required the original SIM to be present in order for that information to be placed onto a new device.
- The fact that Claimant’s number was ported over without the original SIM device being present and without a valid ID corroborating Claimant’s identity points to either completely substandard security procedures or this being an inside job by an AT&T’s
- AT&T should require SIM Card swaps to be done in person via their extensive network of stores.
- AT&T’s Representatives were either complicit with the theft or grossly negligent.
- AT&T’s officers and directors exhibited a conscious and reckless disregard for the security of its customers by failing to implement sufficient security protocols.
- Claimant has filed a police report.
C. FACTS RELATING TO THE EVENT IN DISPUTE
- Claimant is an AT&T customer.
- On December 2021 Claimant realized that there was no service.
- At the same day a couple of hours latter Claimant called AT&T to find out what had happened with service on his phone and AT&T’s representative informed that his SIM was swapped to a new device with a different IMEI number. As an AT&T’s fraud department was closed at that time, AT&T’s representative assured that he disabled Claimant’s phone number and offered to contact the fraud department in the morning.
- The next day Claimant realized that his phone was not disabled as agreed and immediately contacted AT&T’s fraud department and was informed that an AT&T representative couldn’t disable the phone and it was still working. After long conversation with the fraud department Claimant’s account was finally disabled on that day.
FIRST CAUSE OF ACTION: VIOLATION OF THE FEDERAL COMMUNICATION ACT
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- The FCA regulates interstate telecommunications carriers, including AT&T.
- AT&T is a “common carrier” or a “telecommunications carrier” engaged in interstate commerce by wire for the purpose of furnishing communication services within the meaning of Section 201(a) of the FCA. See 47 U.S.C. §201(a).
- As a “common carrier”, AT&T is subject to the substantive requirements of Sections 201 through 222 of the FCA. See 47 U.S.C. §§201-222.
- Under Section 201(b) of the FCA, common carriers may implement only those practices, classifications, and regulations that are “just and reasonable.” Practices that are “unjust or unreasonable” are unlawful.
- Section 206 of the FCA, entitled “Carriers’ liability for damages” provides:
In case any common carrier shall do, or cause or permit to be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, or shall omit to do any act, matter, or thing in this chapter required to be done, such common carrier shall be liable to the person or persons injured thereby for the full amount of damages sustained in consequence of any such violation of the provisions of this chapter, together with a reasonable counsel or attorney’s fee, to be fixed by the court in every case of recovery, which attorney’s fee shall be taxed and collected as part of the costs in the case.
- Section 207 of the FCA, entitled “Recovery of damages” further provides:
Any person claiming to be damaged by any common carrier subject to the provisions of this chapter may either make complaint to the [FCC] as hereinafter provided for, or may bring suit for the recovery of the damages for which such common carrier may be liable under the provisions of this chapter, in any district court of the United States of competent jurisdiction; but such person shall not have the right to pursue both remedies.
- Additionally, Section 222(c) of the FCA explicitly requires that telecommunications carriers protect its customers’ CPNI. See 47 U.S.C. §222(c).
- According to the CPNI Rules:
Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated contact, online account access, or an in-store visit.
…
In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier’s retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer’s account information. In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007).
AT&T violated its duties under Section 222 of the FCA by failing to protect Claimant’s CPI and CPNI by using, disclosing, or permitting access to Claimant’s CPI and CPNI without the consent, notice, and/or legal authorization of Claimant as required by the FCA, in that upon information and belief:
- during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone other than Claimant by an agent of Respondent;
- during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone who was not properly authenticated by Respondent during an in-store visit, or over the phone. Claimant’s CPI and CPNI were disclosed to someone who did not first present a valid photo ID to Respondent.
- As alleged herein, AT&T failed to protect the confidentiality of Claimant’s CPI and CPNI when it disclosed Claimant’s CPI and CPNI to third-parties without Claimant’s authorization or permission.
- AT&T conduct, as alleged herein, constitute knowing violations of the FCA, including sections 201(b) and 222, as well as the CPNI Rules.
- AT&T is also liable for the acts, omissions, and/or failures, as alleged herein, of its officers, employees, agents, or any other persons acting for or on behalf of AT&T.
- AT&T’s violation of the FCA allowed unauthorized parties to impersonate Claimant in transactions with others.
- AT&T violated the FCA, including Section 222, by allowing an unauthorized party to access Claimant’s CPI and CPNI, resulting in, inter alia, Claimant’s loss of his possessions approximately $ 150,000.00 worth of digital assets.
- As a direct consequence of AT&T’s violations of the FCA, Claimant has been damaged through the loss of his property approximately $ 150,000.00 worth of digital assets.
- Had AT&T not allowed the unauthorized access to Claimant’s account, Claimant would not have suffered this loss.
- AT&T, by its inadequate procedures, practices, and regulation, engages in practices which, when taken together:
- fail to provide reasonable, appropriate, and sufficient security to prevent unauthorized access to its customers’ wireless accounts;
- allow unauthorized persons to be authenticated; and
- grant access to sensitive customer account information.
- In particular, AT&T failed to establish and implement reasonable policies, procedures and safeguards governing the creation, access, and authentication of user credentials to access customers’ accounts, creating an unreasonable risk of unauthorized access.
- As such, in violation of the FCA, AT&T has failed to ensure that only authorized persons have access to customer account data and that customers’ CPI and CPNI are secure.
- Among other things, AT&T:
- failed to establish and enforce rules and procedures sufficient to ensure only authorized persons have access to AT&T customer accounts, including that of Claimant;
- failed to establish appropriate rules, policies and procedures for the supervision and control of its officers, agents and employees;
- failed to establish and enforce rules and procedures, or provide adequate supervision and/or training sufficient to ensure that its employees and agents follow such rules and procedures to restrict access by unauthorized persons;
- failed to establish and enforce rules and procedures to ensure AT&T’s employees and agents adhere to the security instructions of customers with regard to accessing customers’ accounts, including that of Claimant;
- failed to adequately safeguard and protect its customers’ wireless accounts;
- permitted the sharing of and access to user credentials among AT&T’s agents or employees without a pending request from the customer, reducing the likely detection of and accountability for unauthorized access;
- failed to appropriately supervise employees and agents, who granted unauthorized access to customers’ accounts, including that of Claimant;
- failed to adequately train and supervise its employees, officers, and agents to prevent the unauthorized access to customer accounts;
- failed to prevent the ability of employees, officers, and agents to access and make changes to customer accounts without specific customer authorization;
- allowed “SIM swap” of cell phone number without properly confirming that the request was coming from legitimate customer;
- lacked proper monitoring and, therefore, failed to monitor its systems for the presence of unauthorized access in a manner that would allow AT&T to detect intrusions, breaches of security, and unauthorized access to customer information;
- failed to implement and maintain readily available best practices to safeguard customer information (and indeed, seemed to suggest such practices were only available to those customers who “paid for” the privilege of having their information secured);
- failed to diagnose and determine timely the cause of Claimant’s service interruption;
- failed to notify Claimant timely of the cause of Claimant’s service interruption; and
- failed to implement and maintain internal controls to help protect against account takeovers and SIM-swaps by unauthorized persons.
- The inadequate security measures, policies and safeguards employed by AT&T created a foreseeable and unreasonable risk of unauthorized access to the accounts of its customers, including that of Claimant.
- Upon information and belief, AT&T has been long aware of its inadequate security measures, policies, and safeguards, and nevertheless, induced customers into believing that its systems were secure and compliant with applicable law.
- AT&T, despite knowing the risks associated with unauthorized access to customer accounts, failed to utilize reasonable and available methods to prevent or limit such unauthorized access.
- AT&T failed in its duty to protect and safeguard customer information and data pursuant to federal law.
- Had AT&T implemented appropriate and reasonable security measures, Claimant would not have been damaged.
- In sum, Respondent’s security measures were entirely inadequate to prevent the foreseeable damage caused to Claimant. AT&T failed to protect the confidentiality of Claimant’s CPI and CPNI, including her wireless telephone number, account information, and her private communications, by divulging that information to unauthorized person.
- Through its negligence, gross negligence and deliberate acts, including inexplicable failures to follow its own security procedures, supervise its employees, the CPNI Regulations, its Privacy Policy and the COBC, and by allowing its employees to bypass such procedures, AT&T permitted unauthorized person to access Claimant’s telephone number, telephone calls, text messages and account information to steal nearly $150,000.00 worth of cryptocurrency.
SECOND CAUSE OF ACTION: NEGLIGENCE
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- AT&T owes a duty of care to its customers to ensure the privacy and confidentiality of CPI and CPNI during its provision of wireless carrier services, as required by both federal and state law. In other words, AT&T owed a duty to Claimant to exercise reasonable care in safeguarding and protecting her personal information, including CPI and CPNI, and keeping it from being compromised, lost, stolen, misused and/or disclosed to unauthorized parties. This duty included, among other things, designing, maintaining, and testing its security systems to ensure that Claimant’s personal information was adequately secured and protected.
- By allowing unauthorized access to the personal and confidential information of legitimate AT&T’s customers, AT&T breached its duty of care to its customers and to foreseeable victims, including Claimant.
- AT&T breached its duty to exercise reasonable care in safeguarding and protecting Claimant’s personal information, including CPI and CPNI, by failing to adopt, implement, and maintain adequate security measures to safeguard that information, including its duty under the FCA, CPNI Rules and its own Privacy Policy.
- AT&T’s failure to comply with federal and state requirements for security further evidences AT&T’s negligence in failing to exercise reasonable care in safeguarding and protecting Claimant’s personal information.
- By failing to diagnose timely and properly the cause of Claimant’s service interruption, AT&T breached its duty of care to its customers and to foreseeable victims, including Claimant.
- But for the inadequate security protocols, practices, and procedures employed by AT&T in protecting customer data, including Claimant’s private and confidential information, Claimant would not have suffered any damage.
- But for the inadequate protocols, practices, and procedures employed by AT&T in diagnosing the causes of customers’ service interruptions, Claimant would not have suffered any damages.
- But for those intentional actions and/or inaction of Respondent and its agents, Claimant would not have suffered damages.
- But for AT&T’s inability to diagnose quickly and effectively and/or determine that Claimant’s account was compromised by a SIM-swap – a fact that AT&T should have known – Claimant would not have suffered damages.
- Claimant has been damaged through the loss of her property (digital assets) with a current estimated value is approximately $150,000.00. The injury and harm suffered by Claimant was the reasonably foreseeable result of AT&T’s failure to exercise reasonable care in safeguarding and protecting Claimant’s personal information.
THIRD CAUSE OF ACTION: GROSS NEGLIGENCE
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- AT&T, as required by federal and state law, owed Claimant a duty to handle and safeguard properly Claimant’s CPI and CPNI and access to his account.
- AT&T was required to ensure its compliance with federal law and to protect the confidentiality of its customers’ account data, including that of Claimant.
- AT&T owed a duty to Claimant to exercise reasonable care in supervising and training its employees to safeguard and protect Claimant’s personal information, including CPI and CPNI, and to keep it from being compromised, lost, stolen, misused and/or disclosed to unauthorized parties.
- AT&T failed in that duty into that it was aware of the ability of its employees to bypass its security measures and the fact that its employees actively participated in fraud involving its customers, including SIM card swap fraud, by bypassing such security measures. AT&T also made promises that its employees would respect its customers’ privacy and AT&T supervises and trains its employees to adhere to its legal obligations to protect customers’ personal information.
- AT&T breached its duty to supervise and train its employees to safeguard and protect Claimant’s personal information, including CPI and CPNI, by not requiring them to adhere to its obligations under the CPNI Rules and other legal provisions. AT&T’s employees facilitated SIM swap fraud on Claimant by not requiring individuals requesting Claimant’s telephone number to present valid identification. AT&T knew its supervision and monitoring of its employees was inadequate through: a) the prior FCC investigation that led to mandating measures to improve such training and monitoring; and b) its knowledge from prior incidents and publications that its employees cooperated with hackers in SIM swap fraud. AT&T is morally culpable, given prior security breaches involving its own employees. AT&T breached its duty to exercise reasonable care in supervising and monitoring its employees to protect customer’s personal information. But for AT&T’s wrongful and negligent breach of its duties to supervise and monitor its employees, Claimant’s CPI and CPNI would not have been disclosed to unauthorized individuals through SIM swap fraud.
- AT&T willfully disregarded and/or showed reckless indifference to its duties under federal and state law to AT&T’s customers and to foreseeable victims of AT&T’s wrongful acts.
- Having superior knowledge of prior account takeover attacks on AT&T’s customers data and having the ability to employ internal systems, procedures, and safeguards to prevent such attacks, AT&T nevertheless failed:
-
- to institute appropriate controls to prevent unauthorized access to customers’ accounts;
- to utilize authentication systems it knew or should have known were vulnerable to account takeover attacks;
- to implement systems to thwart such attacks, willfully disregarding the best practices of the industry in failing; and
- to appropriately hire, retain, supervise, train, and control those officers, agents, and employees who could grant or obtain unauthorized access to customer account data.
These failures amounted to a breach of its duties as set out herein.
-
- AT&T’s policies, procedures and safeguards were completely ineffective and inadequate to prevent the unauthorized access to its customers’ data, notwithstanding the requirements of the CFA, thus meeting the definition of gross negligence and warranting punitive damages for violating federal and state law.
- AT&T’s negligence was a direct and legal cause of the theft of Claimant’s personal information and the legal cause of her resulting damages, including, but not limited to, the loss of nearly $150,000.00 worth of cryptocurrency.
FOURTH CAUSE OF ACTION: NEGLIGENT HIRING, RETENTION AND SUPERVISION
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- At all material times herein, AT&T’s agents, officers, and employees, including, but not limited to, those directly or indirectly responsible for or involved in allowing unauthorized access to Claimant’s confidential and proprietary account information, were under AT&T’s direct supervision and control.
- AT&T was negligent in that it hired, retained, controlled, trained, and supervised the officers, agents, and employees under its control, or knew or should have known that such officers, agents, and employees could allow unauthorized access to customer accounts, including that of Claimant.
- AT&T was negligent in that it failed to implement systems and procedures necessary to prevent its officers, agents, and employees from allowing or obtaining unauthorized access to customer accounts, including that of Claimant.
- AT&T’s was negligent in its hiring, retention, control, training, and supervision in that such failures allowed the unauthorized access to customers’ accounts resulting in damage to AT&T’s customers and foreseeable victims in the public at large, including Claimant.
- Given widespread experience with account takeover and SIM-swap attacks (including some perpetrated and/or assisted by telecommunication carriers own employees, officers, or agents), AT&T’s failure to exercise reasonable care in screening, supervising, and controlling its officers, agents, and employees was a breach of its duty to its customers, including Claimant.
- AT&T’s duty to its customers and foreseeable victims to protect its customers’ data from unauthorized access is required by federal and state law.
- It was entirely foreseeable to AT&T that unauthorized persons would attempt to gain unauthorized access to AT&T customers’ data and, despite this, AT&T failed to implement sufficient safeguards and procedures to prevent its officers, agents, and employees from granting or obtaining such unauthorized access.
- Upon information and belief, AT&T engaged in the acts alleged herein and/or condoned, permitted, authorized, and/or ratified the conduct of its officers, agents, and employees.
- In sum, AT&T owed a duty to its customers to exercise reasonable care in hiring competent, honest, and ethical employees to safeguard and protect their personal information, to keep it from being compromised, lost, stole, misused and/or disclosed to unauthorized parties.
- AT&T also owed a duty to exercise reasonable care in the operation of AT&T stores, including by third parties, and their hiring of employees for those AT&T stores.
- AT&T knew that its employees had cooperated with hackers and thieves by turning over to them the CPNI of its customers to facilitate fraud and theft.
- It also knew from prior incidents of SIM swap fraud that its employees cooperated with hackers and thieves defrauding AT&T’s own customers.
- AT&T also ensured that its employees would adhere to AT&T’s ethical and legal obligations, including respecting its customers’ privacy.
- AT&T breached its duty to hire employees who would safeguard and protect customer’s personal information.
- Employee Omar R, who facilitated the SIM swap fraud perpetrated on Claimant did not live up to AT&T’s purported ethical standards, as expressed in the COBC, or to their legal obligations to Claimant.
- AT&T knew that its hiring of employees was inadequate through the prior FCC investigation that revealed that employees had actively handed over the personal information of its customers to hackers and thieves.
- AT&T is morally culpable, given the prior conduct of its employees. AT&T breached its duty to properly hire competent, honest and ethical employees to protect customer’s CPI and CPNI.
- But for AT&T’s wrongful and negligent breach of its duties to hire ethical and competent employees, Claimant’s CPI and CPNI would not have been disclosed to unauthorized individuals through SIM swap fraud.
- As a direct consequence of AT&T’s negligent hiring, retention, control and supervision of its officers, agents, and employees, who enabled or obtained the unauthorized access to Claimant’s account, Claimant was damaged through the loss of her digital assets with a current estimated value in excess of approximately $150,000.00.
FIFTH CAUSE OF ACTION: VIOLATIONS OF THE COMPUTER FRAUD AND ABUSE ACT
- Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
- The CFAA governs those who intentionally access computers without authorization or who intentionally exceed authorized access, and as a result of such conduct cause damage and loss.
- As alleged herein, a SIM-swap attack requires the intentional access to customer computer data by AT&T which exceeds its authority, and which causes damage and loss. As such, AT&T is subject to the provisions of the CFAA.
- AT&T’s conduct, as alleged herein, constitutes a knowing violation of the CFAA.
- AT&T is also liable for the acts, omissions, and/or failures, as alleged herein, of any of its officers, employees, agents, or any other person acting for on behalf of AT&T.
- AT&T violated its duty under the CFAA by exceeding its authority to access the computer data and breach the confidentiality of the proprietary information of Claimant using, disclosing, or permitting access to Claimant’s CPNI without the consent, notice, and/or legal authorization of Claimant as required by the CFAA.
- Section 1030(g) of the CFAA provides, in pertinent part:
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage….
- Claimant alleges he has suffered damages which exceed the threshold of $5,000.00 as required by Section 1030(c)(4)(A)(i)(I) of the CFAA.
- Claimant alleges AT&T’s unlawful conduct has caused damage which exceeds approximately $ 150,000.00.
- Claimant discovered damage on or about December 2021 and has brought this claim within two (2) years of the date of discovery of the damage pursuant to Section 1030(g) of the CFAA.
- AT&T’s conduct as alleged herein constitutes a violation of Section (a)(5)(A) of the CFAA.
- AT&T’s conduct as alleged herein may constitute an intentional violation of Section (a)(5)(C) of the CFAA.
- As a direct consequence of AT&T’s violations of the CFAA, Claimant has been damaged in an amount to be proven at trial but, upon information and belief, exceeds $150,000.00 plus fees and costs, including reasonable attorneys’ fees.
PRAYER FOR RELIEF
WHEREFORE Claimant demands a judgment against AT&T as follows:
-
-
-
- Enter judgment for Claimant on all counts;
- Award compensatory damages to Claimant arising from AT&T’s negligence;
- Award statutory damages to Claimant for AT&T’s FCA violations;
- Award punitive damages to Claimant for AT&T’s gross negligence and the conscious and reckless disregard of its customer’s data;
- Award statutory damages to Claimant for AT&T’s CFAA violations;
- Award Claimant costs and reasonable attorneys’ fees;
- Award Claimant prejudgment interest; and
- Award Claimant such other and further relief as this Tribunal deems just, fair, and proper.
-
-
References
[1] https://www.vice.com/en/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping, https://www.vice.com/en/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam
[2] See https://www.foxla.com/news/fox-11-tracks-down-verizon-employee-accused-of-taking-bribes-from-sim-swap-hackers
[3] See https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac
[4] See https://www.washingtonpost.com/technology/2021/08/19/t-mobile-data-breach-what-to-do/
[5] See https://www.wsj.com/articles/tracfone-customers-complain-of-unwanted-phone-number-swaps-11643205624
[6] See https://ca.movies.yahoo.com/t-mobile-sim-swapping-data-breach-190612616.html
[7] See https://www.law360.com/articles/1429370/t-mobile-called-to-court-for-sim-swap-schemes
[8] See https://www.coindesk.com/policy/2020/01/24/crypto-execs-18m-sim-swap-lawsuit-has-critical-holes-says-att/, https://www.coindesk.com/markets/2020/07/23/veritaseum-accuses-t-mobile-of-gross-negligence-over-86m-sim-swap-hack/
[9] See https://nypost.com/2020/08/08/cryptocurrency-fraud-reginald-middleton-sues-t-mobile-for-phone-hack/
[10] See https://www.wired.com/story/t-mobile-breach-much-worse-than-it-had-to-be/
[11] See https://lawstreetmedia.com/news/tech/att-sued-after-sim-swapping-attack-causes-customers-six-figure-cryptocurrency-loss/
[12] See https://arstechnica.com/tech-policy/2019/10/att-employees-helped-sim-swap-hackers-rob-man-of-1-8-million-lawsuit-says/
[13] https://krebsonsecurity.com/2018/08/florida-man-arrested-in-sim-swap-conspiracy/
[14] https://bitcoinist.com/sim-swapping-bitcoin-thief-charged-california-court/
[15] See https://www.fox2detroit.com/news/tech-security-expert-warns-about-sim-card-scam-on-t-mobile-customers; https://www.click2houston.com/news/investigates/2021/11/16/kprc-2-investigates-phone-number-swap-scam-warning/.
[16] See https://www.fiercewireless.com/wireless/researchers-identify-5-prepaid-carriers-as-vulnerable-to-sim-swap-fraud
[17] See https://www.vice.com/en/article/3azv4y/verizon-sim-swapping-hack-protection-number-lock
[18] See https://www.ic3.gov/Media/Y2022/PSA220208
[19] See: https://cobc.att.com/mission
[20] See: https://cobc.att.com/responsibilities
[21] See: https://cobc.att.com/customers
[22] See https://about.att.com/privacy/full_privacy_policy.html
[23] See BSA/AML Policies for Cryptocurrency Exchanges in a Nutshell
We stay up to date and track cases involving phishing attacks and sim swap affecting major cryptocurrency exchanges and mobile operators:
One of the largest cellphone carriers in the United States is facing yet another lawsuit by a digital currency investor over SIM swap fraud. T-Mobile failed in its duty to protect its users and resulted in the plaintiff’s loss of $55,000 worth of BTC, according to the lawsuit filed in Pennsylvania.
I am victim of a SIM Swap scam. Both T-Mobil and Coinbase.com where negligent and failed to protect me. I have all the evidence to prove my case.
An 84-year-old grandmother living in West Palm Beach started investing in cryptocurrency to help save up for her family’s future. Then, nearly all of the money she put into cryptocurrency vanished after she claims a hacker got into her accounts and drained it of about $800,000.
- Coinbase Reportedly Stealing Customer Funds, According to Complaint Documents Filed to SEC | CryptoGlobe |
Coinbase users have filed 134 pages of complaints to the SEC alleging that their funds have been “stolen” by the exchange
- T-Mobile Sued Again Over SIM Swap Crypto Losses | Law Street |
Yesterday, Kevin Frye filed a complaint in the Southern District of Florida against T-Mobile USA, Inc. for allegedly conducting a “SIM-Swap” without his consent, resulting in the loss of tens of thousands of dollars worth of cryptocurrency. The plaintiff claimed that “T-Mobile Representatives were either complicit with the theft or grossly negligent” since they have been on “notice for years that their security measures were not adequate.”
- SIM swapping victim alleges T-Mobile failed to stop $20,000 cryptocurrency scam | Cyberscoop | June 4, 2021
A Pennsylvania woman who lost the equivalent of $20,000 in cryptocurrency as part of a mobile fraud scheme says T-Mobile failed to protect her account in the face of a wave of similar incidents.
Nine months before scammers stole $20,000 from Kesler’s Coinbase account, the suit argues, Jack Dorsey was the victim of another high profile SIM swap, in which outsiders seized control of the Twitter CEO’s information. Security journalist Brian Krebs also covered the issue in 2018, specifically reporting that a T-Mobile retail store employee was under investigation for making an unauthorized SIM swa
- Man takes on Gemini and CIT in lawsuit after his $263,799.28 was allegedly stolen to purchase crypto
A man is suing Gemini, claiming it was negligent not to notice significant sums of money moved from his money market account to buy cryptocurrency on the exchange over seven days. While the trader was out of reach in the Australian outback, someone allegedly stole money from his CIT account and wired it to Gemini to purchase crypto. Later, he noticed fraudulent activity on his accounts with other banks, and is suing CIT in addition to Gemini, claiming it violated the Electronic Funds Transfer A
Hackers stole $21 million in Bitcoin and $15 million in Ethereum from retirement accounts held with IRA Financial Trust on February 8, according to a report from Bloomberg based on an anonymous source.
Interviews and thousands of complaints have revealed a pattern of account hacks where users have reported money vanishing from their accounts, reports CNBC. Once criminals gain access to an account, funds can be drained within minutes.
- Lost $350,000 in a hack, now Coinbase wants me to pay them $10,000 | Reddit User | March 15, 2022 – 5 months Ago
My account that my mom and I use together got hacked in June of this year. We lost $350,000.The hacker not only transferred out all of the crypto we owned, they used the bank accounts that were linked to purchase more. When we found out about the hack, we called our banks to stop the transfer of money. We also immediately contacted Coinbase to report the hack. However, Coinbase still let the purchase go through while the bank transactions were pending. Now, Coinbass is claiming that because we stopped our banks from transferring the money, we owe them $10,000 to reimburse them for the purchase.
California-headquartered crypto trading platform Coinbase—has been named in at least 115 complaints sent to the U.S. Securities and Exchange Commission and the California Department of Business Oversight
“I believe Coinbase has engaged in fraud by knowingly marketing a service it knows it cannot actually provide,” the filing from November last year read, adding: “Coinbase knows it does not have the infrastructure to timely and adequately meet customer needs.” At the time, bitcoin and other virtual currencies were rocketing in value, leading to an unprecedented interest from eager new investors.
It took only two minutes for the attacker to clean Sean Everett out of what was then a few thousand dollars’ worth of digital coins from his Coinbase wallet
- Coinbase once lost $250,000 of Bitcoin in phishing attack | Decrypt | May 22, 2020
Author Jeff Roberts said $250,000 was stolen from Coinbase in 2013/2014. Roberts claims Coinbase’s hot wallet was hacked just a year after the company’s inception in 2012, and that the hacker made away with $250,000 worth of Bitcoin
Olympia and Steve Kallman of Parma said they are dealing with some sleepless nights after police reported they had more than $22,000 taken by con artists from their Coinbase cryptocurrency virtual wallet back on Aug. 16.
- T-MOBILE SUED AFTER CLIENT LOST $8.7 MILLION IN CRYPTOCURRENCY HACK | Levin Law, August 12, 2021
T-Mobile is facing a multi-million dollar lawsuit after hackers were able to gain unauthorized access to a client’s account. Using information provided by the cellular company, hackers successfully bypassed their two-factor authentication security measures enabling them to obtain a SIM card with the client’s personal and financial information. $8.7 million in cryptocurrency was ultimately transferred out of the customer’s account.
- T-Mobile Customer Sues T-Mobile After Losing $8.7 Million of Cryptocurrency Stolen in SIM Swap Scam | Dimond Kaplan & Rothstein, P.A.
T-Mobile has been hit with a multi-million-dollar lawsuit after Reginald Middleton lost millions of dollars when hackers gained unauthorized access to his account. The hackers used information supplied by T-Mobile to successfully circumvent the two-factor authentication measure, which allowed them to obtain a SIM card containing all of Middleton’s financial and personal information. Ultimately, $8.7 million in cryptocurrency was transferred out of Middleton’s account.
- Another Bitcoin Investor Sues T-Mobile Over SIM Swap Attack | Nasdaq | July 15, 2021
Richard Harris, the customer and plaintiff, is alleging T-Mobile’s misconduct including its failure to adequately protect customer information, hire appropriate support staff and its violation of federal and state laws led to his loss of 1.63 bitcoin.
Last night while I was sleeping my account was logged into (web) from Russia…
The Vidovics lost nearly $170,000 in the blink of an eye when someone hacked their Coinbase account.
John said his accounts with Coinbase and Coinbase Pro were emptied as he watched his phone screen.
- Coinbase User Accounts Emptied After Hackers Gained Access to Their Crypto Wallets | Couple Discovered $168K Crypto Stolen | Tech Times | August 25, 2021
….an increasing number of users of the currently highly popular cryptocurrency exchange called Coinbase have suddenly found their accounts on the platform empty. This is after hackers have managed to gain access to them and thoroughly drain their cryptocurrency wallets.
- Sim-swappers hack League of Legends star out of $200K worth of cryptocurrency from Coinbase account | TheNextWeb | September 18, 2018
League of Legends superstar has had $200,000 in cryptocurrency stolen from them – directly from their Coinbase account
…an unauthorized user had changed Ms. Maguian’a passwords for trading platforms… Coinbase and initiated transactions that emptied her accounts of crypto valued at around $80,000 at the time
- U.S. Court Rules Money Laundering-Related Case Against Coinbase Must Have Public Trial | Cointelegraph | April 24, 2018
The Eleventh Circuit Court of Appeals ruled today that the class action against Coinbase…will be held in open court. The case in question alleges that Coinbase assisted in laundering around $8.2 mln of stolen Bitcoin (BTC) – valued at over $100 mln today.
- Coinbase Cryptocurrency accounts wiped out ‘in an instant by cyber crooks | ABC Action News |
The Vidovics lost nearly $170,000 in the blink of an eye when someone hacked their Coinbase account.
Dr. Anders Apgar, a Coinbase customer, said his account had a balance of more than $100,000 in crypto when it was hacked during a robocall.
- Coinbase Account Hacked $14,000 USD stolen | Reddit User |
I had $14,000+ USD in my coinbase pro account. The account was hacked at the money was switched over to crypto and sent to multiple people this occured several hours ago (05/14/2021). Case # 06082303
- Cybercriminals cleanout cryptocurrency using sim card swap scam | ABC Action News
Tampa resident David Bryant knew something was wrong last October when he found Coinbase notifications deleted from his account and his login no longer worked. “I lost about $15,000 dollars worth of crypto,” David said.
A Texas man is suing Coinbase, the cryptocurrency trading platform. The man alleges his Coinbase account was breached to make a $50,000 unauthorized transaction. He says at least 1,000 other Coinbase accounts have also been breached.
- Nearly 75% of Stolen Ransomware Crypto Went to Russia in 2021, New Report Finds | February 15, 2022
A new report finds that Russia was linked to the majority of crypto ransomware invasions, siphoning the equivalent of $400 million in stolen funds to illicit addresses in that country. It appears Russia has strong ties to the majority of crypto hacks and cybercrimes, especially when you consider that 74% of ransomware revenue in 2021 — over $400 million worth of cyptocurrency — went to accounts affiliated with the country in some way, according to a new report from cryptocurrency tracking and analytics firm, Chainalysis.
- Close to $12,000 STOLEN OUT OUT MY COINBASE… I WANT ANSWERS!!! Reddit User | 11 Months Ago
Case #05530638, #05542432. This all happened 4/15/21-4/16/21. How can I talk with someone from coinbase? I am so frustrated that someone stole my Bitcoin, ETH, and transferred $500 from my bank account and stole that too from my coinbase… Total almost $12,000. I am trying to understand what is going on and now I am completely blocked out of coinbase. I want answers!
An increasing number of users of the highly popular cryptocurrency exchange Coinbase have found their accounts on the platform empty after hackers managed to gain access to them and drain their cryptocurrency wallets.
Raza says Coinbase, the cryptocurrency exchange where he was robbed, has not been able to provide a solution and he thinks they need to step up security protocols.
In four minutes, cyber looters pilfered $34,123 worth of virtual currency from a Virginia resident’s Coinbase (COIN) account, the 38-year-old told Yahoo Finance.
- Coinbase hacked in the middle of the night $60k stolen. What should I do? Reddit | January, 2021
I received several txts last night sending me a 2fa code. I woke up and my bitcoin was transferred at 230am to some address. Any idea what happened? Was it my cell phone provider? Seems fishy to me since I could not detect any threats my phone. No idea how the culprit read my txt messages but oh well.
- All of My Crypto Was Stolen! On Coinbase | Reddit User | 8 Months Ago
I am an active user of CoinBase and somehow my account was breached even with 2FA enabled. The hackers stole all of the coins in my account by converting them to BTC and sending them to their wallet. They then deposited $1k USD and purchased BTC using my debit card and stole it before I could lock my account down.
- CoinBase Account Hacked – $23k Stolen and NO HELP from CoinBase | Reddit User | March 15 – 7 months
Taking my case to reddit. My account was hacked approximately 3 weeks ago and .50 BTC (approximately $23k USD) was stolen from my account. In summary, I decided to log into my account one day to check in on the balance. A hacker had locked my account out.
…hackers managed to get into the accounts and move funds off the platform, draining some accounts dry. Thousands of customers had already begun to complain to Coinbase that funds had vanished from their accounts…Coinbase did not disclose how much cryptocurrency was stolen in the attack.
- Coinbase slammed for what users say is terrible customer service after hackers drain their accounts | CNBC | August 24, 2021
CNBC interviewed Coinbase users across the country. The interviews and complaints revealed a pattern of account takeovers, where users see money suddenly vanish from their account, followed by poor customer service from the company. Since 2016, Coinbase users have filed more than 11,000 complaints against Coinbase with the Federal Trade Commission and Consumer Financial Protection Bureau, mostly related to customer service.
- Coinbase customers up in arms after hackers drain crypto wallets | August 26, 2021
An increasing number of users of the highly popular cryptocurrency exchange Coinbase have found their accounts on the platform empty after hackers managed to gain access to them and drain their cryptocurrency wallets.
Loads of scams out there. Remember Coinbase does not support chat. You will never speak with a Coinbase employee.
I have been trying to contact Coinbase support since Thursday when I saw $25k BTC sold from my wallet without my consent and could not receive any assistance at all from Coinbase to protect my investment.
- A string of thefts hit Bitcoin’s most reputable wallet service | The Verge | February 7, 2014
It was 10.6 bitcoins held in the wallet service Coinbase, the most well-funded and widely implemented service on the market.
- Coinbase is mistakenly draining customers’ bank accounts, and people are freaked | Mashable | February 15, 2018
All your money is gone. Whoops! Sorry for your loss. Some Coinbase account holders are losing their shit today as they look to their bank statements to find that the exchange has withdrawn excessive amounts of money from their accounts.
California-headquartered crypto trading platform Coinbase—has been named in at least 115 complaints sent to the U.S. Securities and Exchange Commission and the California Department of Business Oversight
“I believe Coinbase has engaged in fraud by knowingly marketing a service it knows it cannot actually provide,” the filing from November last year read, adding: “Coinbase knows it does not have the infrastructure to timely and adequately meet customer needs.” At the time, bitcoin and other virtual currencies were rocketing in value, leading to an unprecedented interest from eager new investors
- T-Mobile Sued Again Over SIM Swap Crypto Losses | Law Street |
Yesterday, Kevin Frye filed a complaint in the Southern District of Florida against T-Mobile USA, Inc. for allegedly conducting a “SIM-Swap” without his consent, resulting in the loss of tens of thousands of dollars worth of cryptocurrency. The plaintiff claimed that “T-Mobile Representatives were either complicit with the theft or grossly negligent” since they have been on “notice for years that their security measures were not adequate.”
- SIM swapping victim alleges T-Mobile failed to stop $20,000 cryptocurrency scam | Cyberscoop | June 4, 2021
A Pennsylvania woman who lost the equivalent of $20,000 in cryptocurrency as part of a mobile fraud scheme says T-Mobile failed to protect her account in the face of a wave of similar incidents.
Nine months before scammers stole $20,000 from Kesler’s Coinbase account, the suit argues, Jack Dorsey was the victim of another high profile SIM swap, in which outsiders seized control of the Twitter CEO’s information. Security journalist Brian Krebs also covered the issue in 2018, specifically reporting that a T-Mobile retail store employee was under investigation for making an unauthorized SIM swap.
- Hackers Circle as Individual Investors Pour Cash Into Crypto | The Wall Street Journal | November 21, 2021
Mr. Harris sued T-Mobile in July, alleging the company’s practices didn’t meet federal standards and allowed a hacker to take over his phone number in 2020 and steal bitcoin worth nearly $15,000 at the time, and more now.
T-Mobile declined to comment on the suit but motioned to move the case to arbitration. Like Verizon and AT&T, the company requires arbitration to resolve disputes in its terms of service, often leading to closed-door settlements.
- Massive data breach at T-Mobile lands giant class action in KC federal court | Kansas City Business Journal | January 5, 2022
Hackers stole the personal identification data for millions of past, present and prospective T-Mobile customers, leading to a huge class-action lawsuit.
- Hacker lifts $1 million in cryptocurrency using San Francisco man’s phone number, prosecutors say | CNBC | November 21, 2018
Losing cellphone service is inconvenient. But in some cases, it also might mean you’re getting hacked.
“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.
- T-Mobile data breach and SIM-swap scam: How to protect your identity | Cnet | August 22, 2021
Just when you think the massive T-Mobile hack can’t get any worse, on Friday the carrier announced that over 50 million people, including current and former customers as well as prepaid customers, were affected by the breach. Information like Social Security numbers, driver’s licenses and account PINs were exposed.
- Another Bitcoin Investor Sues T-Mobile Over SIM Swap Attack | Coindesk | July 15, 2021
Cellphone carrier T-Mobile is being sued over allegations it failed to safeguard against a SIM swap scam that cost one customer $55,000 in lost.
- T-Mobile Sued Over $8.7M Stolen in SIM-Swap Attacks | Cointelegraph | July 23, 2020
The CEO of a crypto firm that recently settled with the SEC over its 2017 ICO is suing T-Mobile over a series of SIM-swaps that resulted in the loss of $8.7 million worth of crypto.
The suit accuses T-Mobile of having “abjectly failed” in its responsibility to protect the personal and financial information of its customers.
- Crypto Theft Victim Sues T-Mobile for Allowing SIM-Swap Attack | Finance Magnates | February 12, 2021
A victim of a crypto theft using SIM-swap attack has filed a lawsuit against T-Mobile, alleging the failure and negligence on the part of the US cell phone carrier in preventing these scams.
“This action arises out of T-Mobile’s systemic and repeated failures to protect and safeguard its customers’ highly sensitive personal and financial information against common, widely reported, and foreseeable attempts to illegally obtain such information,” the lawsuit alleged.
- T-Mobile being sued by victim of SIM swapping attack | Tmo News | February 11, 2021
T-Mobile is currently facing a complaint against one of the victims of SIM swapping, a type of fraud.
Cheng believed that the attack would not have happened if not for “T-Mobile‘s negligent practices and its repeated failure to adhere to federal and state law.”
- T-Mobile Is Facing Another SIM Swapping Complaint | Android Headlines |
T-Mobile is facing yet another SIM swapping complaint involving cryptocurrency theft. Last week, a Philadelphia man named Richard Harris filed a complaint in the Eastern District of Pennsylvania against the wireless giant alleging he lost approximately $55,000 worth of Bitcoin due to the company’s failure to safeguard his account
The sim was successfully swapped which means that either it was done without the pin or the person knew the pin. Again, this is only possible if it was a T-Mobile employee and most likely one of the employees that help a month prior during the line add and upgrade.
When it comes to security or whatever it is leave T-Mobile. It is insider job someone is doing sim swaps.
- Why you can’t ignore the hackers and data breaches, like one at T-Mobile | Detroit Free Press |
T-Mobile confirmed this week that it was hit by a “highly sophisticated cyberattack” that exposed names, dates of birth, Social Security numbers and driver’s license information for more than 40 million consumers who had applied for credit with T-Mobile.
After a crazy week where T-Mobile handed over my phone number to a hacker twice, I now have my T-Mobile, Google, and Twitter accounts back under my control. However, the weak link in this situation remains and I’m wary of what could happen in the future.
- T-Mobile discloses data breach after SIM swapping attacks | Bleeping Computer |
American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks. SIM swap fraud (or SIM hijacking) allows scammers to take control of targets’ phone numbers after porting them using social engineering or after bribing mobile operator employees to a SIM controlled by the fraudsters.
- Fraudulent Sale of My SIM card | T-Community | 2019
Yesterday, someone went into a T-Mobile retail store used a fake California Drivers License to buy a copy of my SIM card.
And now for the crazy chain of events, where T-mobile allowed a complete stranger to do a SIM swap on me, and Coinbase allowed a complete stranger to change my Coinbase identity with no questions asked.
Silver Miller said that “with little more than a persuasive plea for assistance, a willing telecommunications carrier representative, and an electronic impersonation of the victim,” criminals can manage to steal millions of dollars targeting unsuspecting victims.
Hackers swapped my T-Mobile SIM card without my approval and methodically shut down access to most of my accounts and began reaching out to my Facebook friends asking to borrow crypto.
Coinbase has admitted that hackers stole crypto from thousands of its users’ accounts over a three-month period.
Bad actors were able to infiltrate the accounts of and steal cryptocurrency from around 6,000 Coinbase customers by exploiting a multi-factor authentication flaw.
Matthew doesn’t know how the hackers were able to access his Coinbase account, but he remembered that when he signed up with Coinbase, they advertised they had insurance.