T-Mobile Sim Swap Incident Resulted in $275K Theft from Victim’s Coinbase Account

June 27, 2021  |   By: Max Dilendorf, Esq.

SAMPLE COMPLAINT AGAINST T-MOBILE USA, INC.

AMERICAN ARBITRATION ASSOCIATION COMPLAINT SAMPLE

Claimant, by and through his attorney, Max Dilendorf, brings this against Respondent T-Mobile USA, Inc. (“T-Mobile”, “Respondent”) pursuant to the Federal Communications Act, a common law theory of gross negligence, a common law theory of negligent hiring, retention, and supervision; and the Computer Fraud and Abuse Act.

INTRODUCTION

  1. This action arises out of T-Mobile USA, Inc.’s (hereinafter “T-Mobile”) systemic and repeated failures to protect and safeguard its customers’ highly sensitive personal and financial information against common, widely reported, and foreseeable attempts to illegally obtain such information.
  2. As a result of T-Mobile’s misconduct as alleged herein, including their gross negligence in failing to protect customer information, its negligent hiring and supervision of customer support personnel, and its violations of federal and state laws designed to protect wireless service consumers, Claimant lost 4.13834669 (“BTC”), with a current estimated value in excess of $ 275,365.91 due to an account takeover scheme (also known as a “SIM-swap”) which could not have occurred but for Respondent’s intentional actions and negligent practices, as well as their repeated failure to adhere to federal and state laws.

PARTIES

  1. Claimant is a resident of State of Texas.
  2. Respondent is a Delaware corporation with principal place of business in the State of Washington.

FACTUAL BACKGROUND RELEVANT TO ALL CAUSES OF ACTION

  1. T-Mobile markets and sells wireless cellular phone service through standardized wireless service plans via various retail locations, online sales, and over the telephone.
  2. T-Mobile has approximately 600 stores in Texas. See https://www.t-mobile.com/store-locator/tx, which lists all T-Mobile storefronts in Texas by town.
  3. The Respondent has a substantial advertising budget, amounting to $2.2 billion in 2021. It is estimated they spend millions annually marketing their services to residents of Texas. See https://www.statista.com/statistics/760050/ad-spending-of-t-mobile-in-the-us/.
  4. T-Mobile maintains accounts for its wireless customers, enabling them to access information about the services they purchase from T-Mobile.
  5. It is widely recognized and has been widely publicized that mishandling of customer wireless accounts, including, but not limited to, allowing unauthorized access, can facilitate identity theft and related consumer harm.
  6. Numerous instances of mishandling of customer account information have occurred at T-Mobile. Many major media outlets have written about T-Mobile’s SIM swap hacks. These publications include, but are not limited to: The Washington Post[1], Yahoo![2], Law 360[3], CoinDesk[4], The New York Post[5], Wired[6], as well as various local media affiliates of major news outlets[7]. Further, Vice wrote an article in 2020 regarding Verizon Wireless’s attempts increase protection for users against SIM swaps, urging other mobile phone carriers, including T-Mobile, to do the same[8].
  7. As one of the nation’s largest wireless carriers, T-Mobile’s operations must comply with various federal and state statutes, including (but not limited to) the Federal Communications Act (“FCA”) 47 U.S.C. §222.
  8. The FCA obligates T-Mobile to protect the “confidentiality of proprietary information of [its] customers” and “customer proprietary network information” (commonly referred to as “CPI” and “CPNI”, respectively). See 47 U.S.C. §222(a), (c).
  9. The Federal Communications Commission (“FCC”) has promulgated rules to implement Section 222 of the FCA “to ensure that telecommunications carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI.” In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007); see also 47 C.F.R. §64.2001 et seq. (“CPNI Rules”).
  10. The CPNI Rules limit disclosure and use of CPNI without customer approval to certain limited circumstances (such as cooperation with law enforcement), none of which are applicable to the facts here. See 47 C.F.R. §64.2005.
  11. The CPNI Rules also require carriers to implement safeguards to protect customers’ CPNI. See 47 C.F.R. §64.2009(b), (d), and (e).
  12. These safeguards include: (a) training personnel “as to when they are and are not authorized to use CPNI”; (b) establishing “a supervisory review process regarding carrier compliance with the rules”; and (c) filing annual compliance certificates with the FCC. Id.
  13. The CPNI Rules further require carriers to implement measures to prevent the disclosure of CPNI to unauthorized individuals. For example, “carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” 47 C.F.R. §64.2010(a).
  14. T-Mobile regularly holds itself out to the general public as a secure and reliable custodian of customer data, including customer’s confidential financial and personal information. As an example, T-Mobile explicitly states that “when you contact us by phone or visit us in our stores, we have procedures in place to make sure that only the primary account holder or authorized users have access.” See https://www.t-mobile.com/privacy-center/our-practices/privacy-policy.
  15. T-Mobile maintains that it uses a variety of “administrative, technical, contractual, and physical safeguards” to protect customers’ data “against security incidents, and illegal, fraudulent, or unauthorized activities; investigate suspicious traffic, cybersecurity threats or vulnerabilities, complaints, and claims; authenticate your credentials for account access and information and provide other security protections, as of August 9, 2021. Id.
  16. Upon information and belief, T-Mobile’s sales and marketing materials make similar representations regarding T-Mobile’s alleged implementation of various safeguards to protect its customers’ private information (as required by statutes).
  17. T-Mobile’s deceptive statements are designed to cover up for the fact that it is aware their security procedures can and do fall short of their expressed and implied representations and promises, as well as their statutory duties.
  18. Such failures, which lead to unauthorized access of customers’ information, were entirely foreseeable by T-Mobile, especially given the wide media coverage of such hackings prior to the event in dispute here.

A. SIM CARD SWAP

  1. As T-Mobile is aware, various forms of account takeover fraud have been widely reported in the press, by government regulators (including the Federal Trade Commission (“FTC”) and the FCC), academic publications, and multiple lawsuits across the country.
  2. These illegal schemes involve criminals and fraudsters gaining access to or “hijacking” customer wireless accounts, which often include sensitive personal and financial information, to induce third parties to conduct transactions with individuals they believe to be legitimate or known to them.
  3. Sometimes these schemes are perpetrated by employees of the wireless carriers, such as T-Mobile.
  4. One of the most damaging and pervasive forms of account takeover fraud is known as a “SIM-Swap”, whereby a third-party (with the help of a wireless carrier like T-Mobile) is allowed to transfer access to a customer’s cellular phone number from the customer’s registered “subscriber identity module” card (or “SIM card”) – to a SIM card controlled by the third party.
  5. A SIM Card has a complete record of a user’s cell phone history, inclusive of text messages, calls, and any applications which a user has downloaded.
  6. A SIM swap is when a hacker convinces a carrier to switch a phone number over to a SIM card they own. Once a hacker has access to the phone number, they control the text-based two-factor authentication checks specifically designed to add a layer of protection to sensitive accounts such as bank accounts, social media accounts, and email accounts.
  7. The wireless carrier, however, must effectuate the SIM card reassignment. Therefore, “SIM-swapping” is not an isolated criminal act, as it requires the wireless carrier’s active involvement to swap the SIM containing information regarding its customer to an unauthorized person’s phone.
  8. Indeed, unlike a direct hack of data, whereby a company like T-Mobile plays a more passive role, SIM-swaps are ultimately effectuated by the wireless carrier itself. For instance, in this case, it is T-Mobile that approved and allowed the SIM card change (without Claimant’s authorization), as well as all of the subsequent telecommunication activity that was used to access Claimant’s online accounts and cause the injuries suffered by Claimant.
  9. As such, by directly or indirectly exceeding authorized access to customer accounts, wireless carriers such as T-Mobile may be liable under state and federal statutes, such as the Federal Communications Act (“FCA”).
  10. Once a third-party has access to the legitimate user’s SIM card data, it can then seamlessly impersonate that legitimate user (e.g., in communicating with others or contacting various vendors).
  11. A common target of SIM-swapping and account takeover fraud are individuals known, or expected, to hold cryptocurrency, because account information is often contained on users’ cellular phones, allowing criminals to transfer the legitimate user’s cryptocurrency to an account controlled by the third-party.
  12. The Federal Communications investigated T-Mobile and on February 28, 2020 released a report which read as follows:

The American public and federal law consider such information highly personal and sensitive—and justifiably so. As the Supreme Court has observed, location data associated with wireless service “provides an intimate window into a person’s life, revealing not only his particular movements, but through them his familial, political, professional, religious, and sexual associations.”4 Section 222 of the Communications Act requires carriers to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information. The Commission has advised carriers that this duty requires them to take “every reasonable precaution” to safeguard their customers’ information. The Commission has also warned carriers that the FCC would “[take] resolute enforcement action to ensure that the goals of section 222 are achieved. 

Today, we do exactly that. In this Notice of Apparent Liability, we propose a penalty of $91,630,000 against T-Mobile USA, Inc. (T-Mobile or Company) for apparently violating section 222 of the Communications Act and the Commission’s regulations governing the privacy of customer information. We find that T-Mobile apparently disclosed its customers’ location information, without their consent, to third parties who were not authorized to receive it. In addition, even after highly publicized incidents put the Company on notice that its safeguards for protecting customer location information were inadequate, T-Mobile apparently continued to sell access to its customers’ location information for the better part of a year without putting in place reasonable safeguards—leaving its customers’ data at unreasonable risk of unauthorized disclosure. In the Matter of T-Mobile USA, Inc., File No. EB-TCD-18-00027702 (February 28, 2020), page 1786.

  1. The prevalence of SIM-swap fraud and T-Mobile’s knowledge of such fraud, including, but not limited to that performed with the active participation of its own employees, demonstrates that what happened with Claimant’s account was neither an isolated incident nor an unforeseeable event.
  2. As a regulated wireless carrier, T-Mobile has a well-established duty – one which it freely acknowledges on its corporate website – to protect the security and privacy of CPI and CPNI from unauthorized access and T-Mobile is obligated to certify its compliance with this mandate to the FCC every year. See, g., https://www.t-mobile.com/privacy-center/education-and-resources/cpni.
  3. The FCA expressly restricts carriers like T-Mobile from unauthorized disclosure of CPNI.
  4. In light of the above, at the time of the events at issue in the present case, T-Mobile was keenly aware of its obligations, as well as multiple weaknesses in its internal processes and procedures to authenticate legitimate customers.
  5. The failure of T-Mobile to have proper safeguards and security measures as recommended by the FCC resulted in damages to Claimant in an amount to be determined at trial.

B. LACK OF SECURITY PROTOCOLS

  1. T-Mobile has been on notice for years that their security measures were not adequate. Despite this, sufficient security measures were not in place to prevent this SIM Card swap and the corresponding theft.
  2. A SIM swapping attack is otherwise known as SIM splitting, SIM jacking, SIM hijacking, and port-out scamming. It’s a scam that happens when fraudsters use the weakness of two-factor authentication and verification which involves the second step of the process: receiving a text message or phone call to your cellphone number.
  3. Despite this knowledge of inherent security flaws, T-Mobile and its officers and directors acted with a conscious and reckless disregard for the security of their customers, failing to ratify and implement policies that would protect its customers’ accounts.
  4. A valid driver’s license and a valid pin/security code should have been required in order to port a number to a new phone.
  5. Security measures should have been in place which required the original SIM to be present in order for that information to be placed onto a new device.
  6. The fact that Claimant’s number was ported over without the original SIM device being present and without a valid ID corroborating Claimant’s identity points to either completely substandard security procedures or this being an inside job by a T-Mobile Representative.
  7. T-Mobile should require SIM Card swaps to be done in person via their extensive network of stores.
  8. T-Mobile Representatives were either complicit with the theft or grossly negligent.
  9. T-Mobiles’ officers and directors exhibited a conscious and reckless disregard for the security of its customers by failing to implement sufficient security protocols.
  10. Claimant has filed a police report with The Police Department.

C. FACTS RELATING TO THE EVENT IN DISPUTE

  1. Claimant is a T-Mobile customer.
  2. On or about November 2021, Claimant realized that there was no service.
  3. On December 2021, T-Mobile sent Claimant a letter acknowledging the unauthorized activity on Claimant’s account.
  4. During the breach, the hackers were able to disable Coinbase’s notification system, thus enabling them to make undetected transfers from Claimant’s Account.

FIRST CAUSE OF ACTION: VIOLATION OF THE FEDERAL COMMUNICATION ACT

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. The FCA regulates interstate telecommunications carriers, including T-Mobile.
  3. T-Mobile is a “common carrier” or a “telecommunications carrier” engaged in interstate commerce by wire for the purpose of furnishing communication services within the meaning of Section 201(a) of the FCA. See 47 U.S.C. §201(a).
  4. As a “common carrier”, T-Mobile is subject to the substantive requirements of Sections 201 through 222 of the FCA. See 47 U.S.C. §§201-222.
  5. Under Section 201(b) of the FCA, common carriers may implement only those practices, classifications, and regulations that are “just and reasonable.” Practices that are “unjust or unreasonable” are unlawful.
  6. Section 206 of the FCA, entitled “Carriers’ liability for damages” provides:

In case any common carrier shall do, or cause or permit to be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, or shall omit to do any act, matter, or thing in this chapter required to be done, such common carrier shall be liable to the person or persons injured thereby for the full amount of damages sustained in consequence of any such violation of the provisions of this chapter, together with a reasonable counsel or attorney’s fee, to be fixed by the court in every case of recovery, which attorney’s fee shall be taxed and collected as part of the costs in the case.

  1. Section 207 of the FCA, entitled “Recovery of damages” further provides:

Any person claiming to be damaged by any common carrier subject to the provisions of this chapter may either make complaint to the [FCC] as hereinafter provided for, or may bring suit for the recovery of the damages for which such common carrier may be liable under the provisions of this chapter, in any district court of the United States of competent jurisdiction; but such person shall not have the right to pursue both remedies.

  1. Additionally, Section 222(c) of the FCA explicitly requires that telecommunications carriers protect its customers’ CPNI. See 47 U.S.C. §222(c).
  2. According to the CPNI Rules:

Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated contact, online account access, or an in-store visit.

In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier’s retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer’s account information. In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007).

T-Mobile violated its duties under Section 222 of the FCA by failing to protect Claimant’s CPI and CPNI by using, disclosing, or permitting access to Claimant’s CPI and CPNI without the consent, notice, and/or legal authorization of Claimant as required by the FCA, in that upon information and belief:

  • during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone other than Claimant by an agent of Respondent;
  • during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone who was not properly authenticated by Respondent during an in-store visit,  or over the phone. Claimant’s CPI and CPNI were disclosed to someone who did not first present a valid photo ID to Respondent.
  1. As alleged herein, T-Mobile failed to protected the confidentiality of Claimant’s CPI and CPNI when it disclosed Claimant’s CPI and CPNI to third-parties without Claimant’s authorization or permission.
  2. T-Mobile’s conduct, as alleged herein, constitute knowing violations of the FCA, including sections 201(b) and 222, as well as the CPNI Rules.
  3. T-Mobile is also liable for the acts, omissions, and/or failures, as alleged herein, of its officers, employees, agents, or any other persons acting for or on behalf of T-Mobile.
  4. T-Mobile’s violation of the FCA allowed unauthorized parties to impersonate Claimant in transactions with others.
  5. T-Mobile violated the FCA, including Section 222, by allowing an unauthorized party to access Claimant’s CPI and CPNI, resulting in, inter alia, Claimant’s loss of his possessions, including 4.13834669 Bitcoin.
  6. As a direct consequence of T-Mobile’s violations of the FCA, Claimant has been damaged through the loss of his property, namely 4.13834669 Bitcoin.
  7. Had T-Mobile not allowed the unauthorized access to Claimant’s account, Claimant would not have suffered this loss.
  8. T-Mobile, by its inadequate procedures, practices, and regulation, engages in practices which, when taken together:
  • fail to provide reasonable, appropriate, and sufficient security to prevent unauthorized access to its customers’ wireless accounts;
  • allow unauthorized persons to be authenticated; and
  • grant access to sensitive customer account information.
  1. In particular, T-Mobile failed to establish and implement reasonable policies, procedures and safeguards governing the creation, access, and authentication of user credentials to access customers’ accounts, creating an unreasonable risk of unauthorized access.
  2. As such, in violation of the FCA, T-Mobile has failed to ensure that only authorized persons have access to customer account data and that customers’ CPI and CPNI are secure.
  3. Among other things, T-Mobile:
  • failed to establish and enforce rules and procedures sufficient to ensure only authorized persons have access to T-Mobile customer accounts, including that of Claimant;
  • failed to establish appropriate rules, policies and procedures for the supervision and control of its officers, agents and employees;
  • failed to establish and enforce rules and procedures, or provide adequate supervision and/or training sufficient to ensure that its employees and agents follow such rules and procedures to restrict access by unauthorized persons;
  • failed to establish and enforce rules and procedures to ensure T-Mobile’s employees and agents adhere to the security instructions of customers with regard to accessing customers’ accounts, including that of Claimant;
  • failed to adequately safeguard and protect its customers’ wireless accounts;
  • permitted the sharing of and access to user credentials among T-Mobile’s agents or employees without a pending request from the customer, reducing the likely detection of and accountability for unauthorized access;
  • failed to appropriately supervise employees and agents, who granted unauthorized access to customers’ accounts, including that of Claimant;
  • failed to adequately train and supervise its employees, officers, and agents to prevent the unauthorized access to customer accounts;
  • failed to prevent the ability of employees, officers, and agents to access and make changes to customer accounts without specific customer authorization;
  • allowed “porting out” of cell phone numbers without properly confirming that the request was coming from legitimate customers;
  • lacked proper monitoring and, therefore, failed to monitor its systems for the presence of unauthorized access in a manner that would allow T-Mobile to detect intrusions, breaches of security, and unauthorized access to customer information;
  • failed to implement and maintain readily available best practices to safeguard customer information (and indeed, seemed to suggest such practices were only available to those customers who “paid for” the privilege of having their information secured);
  • failed to diagnose and determine timely the cause of Claimant’s service interruption;
  • failed to notify Claimant timely of the cause of Claimant’s service interruption; and
  • failed to implement and maintain internal controls to help protect against account takeovers and SIM-swaps by unauthorized persons.
  1. The inadequate security measures, policies and safeguards employed by T-Mobile created a foreseeable and unreasonable risk of unauthorized access to the accounts of its customers, including that of Claimant.
  2. Upon information and belief, T-Mobile has been long aware of its inadequate security measures, policies, and safeguards, and nevertheless, induced customers into believing that its systems were secure and compliant with applicable law.
  3. T-Mobile, despite knowing the risks associated with unauthorized access to customer accounts, failed to utilize reasonable and available methods to prevent or limit such unauthorized access.
  4. T-Mobile failed in its duty to protect and safeguard customer information and data pursuant to federal law.
  5. Had T-Mobile implemented appropriate and reasonable security measures, Claimant would not have been damaged.
  6. In sum, Respondent’s security measures were entirely inadequate to prevent the foreseeable damage caused to Claimant.

SECOND CAUSE OF ACTION: NEGLIGENCE

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. T-Mobile owes a duty of care to its customers to ensure the privacy and confidentiality of CPI and CPNI during its provision of wireless carrier services, as required by both federal and state law.
  3. By allowing unauthorized access to the personal and confidential information of legitimate T-Mobile customers, T-Mobile breached its duty of care to its customers and to foreseeable victims, including Claimant.
  4. By failing to diagnose timely and properly the cause of Claimant’s service interruption, T-Mobile breached its duty of care to its customers and to foreseeable victims, including Claimant.
  5. But for the inadequate security protocols, practices, and procedures employed by T-Mobile in protecting customer data, including Claimant’s private and confidential information, Claimant would not have suffered any damage.
  6. But for the inadequate protocols, practices, and procedures employed by T-Mobile in diagnosing the causes of customers’ service interruptions, Claimant would not have suffered any damages.
  7. But for those intentional actions and/or inaction of Respondent and its agents, Claimant would not have suffered damages.
  8. But for T-Mobile’s inability to diagnose quickly and effectively and/or determine that Claimant’s account was compromised by a SIM-swap – a fact that T-Mobile should have known – Claimant would not have suffered damages.
  9. Claimant has been damaged through the loss of his property, namely 4.13834669 Bitcoin, with a current estimated value in excess of $275,365.91.

THIRD CAUSE OF ACTION: GROSS NEGLIGENCE

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. T-Mobile, as required by federal and state law, owed Claimant a duty to handle and safeguard properly Claimant’s CPI and CPNI and access to his account.
  3. T-Mobile was required to ensure its compliance with federal law and to protect the confidentiality of its customers’ account data, including that of Claimant.
  4. Upon information and belief, T-Mobile willfully disregarded and/or showed reckless indifference to its duties under federal and state law to T-Mobile customers and to foreseeable victims of T-Mobile’s wrongful acts.
  5. Having superior knowledge of prior account takeover attacks on T-Mobile customers’ data and having the ability to employ internal systems, procedures, and safeguards to prevent such attacks, T-Mobile nevertheless failed:
  • to institute appropriate controls to prevent unauthorized access to customers’ accounts;
  • to utilize authentication systems it knew or should have known were vulnerable to account takeover attacks;
  • to implement systems to thwart such attacks, willfully disregarding the best practices of the industry in failing; and
  • to appropriately hire, retain, supervise, train, and control those officers, agents, and employees who could grant or obtain unauthorized access to customer account data.
  1. T-Mobile’s policies, procedures and safeguards were completely ineffective and inadequate to prevent the unauthorized access to its customers’ data, notwithstanding the requirements of the CFA, thus meeting the definition of gross negligence and warranting punitive damages for violating [●].

FOURTH CAUSE OF ACTION: NEGLIGENT HIRING, RETENTION AND SUPERVISION

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. At all material times herein, T-Mobile’s agents, officers, and employees, including, but not limited to, those directly or indirectly responsible for or involved in allowing unauthorized access to Claimant’s confidential and proprietary account information, were under T-Mobile’s direct supervision and control.
  3. Upon information and belief, T-Mobile negligently hired, retained, controlled, trained, and supervised the officers, agents, and employees under its control, or knew or should have known that such officers, agents, and employees could allow unauthorized access to customer accounts, including that of Claimant.
  4. Upon information and belief, T-Mobile failed negligently to implement systems and procedures necessary to prevent its officers, agents, and employees from allowing or obtaining unauthorized access to customer accounts, including that of Claimant.
  5. Upon information and belief, T-Mobile’s negligent hiring, retention, control, training, and supervision allowed the unauthorized access to customers’ accounts resulting in damage to T-Mobile customers and foreseeable victims in the public at large, including Claimant.
  6. Given T-Mobile’s experience with account takeover and SIM-swap attacks (including some perpetrated and/or assisted by Respondent’s own employees, officers, or agents), T-Mobile’s failure to exercise reasonable care in screening, supervising, and controlling its officers, agents, and employees was a breach of its duty to its customers, including Claimant.
  7. T-Mobile’s duty to its customers and foreseeable victims to protect its customers’ data from unauthorized access is required by federal and state law.
  8. It was entirely foreseeable to T-Mobile that unauthorized persons would attempt to gain unauthorized access to T-Mobile customers’ data and, despite this, T-Mobile failed to implement sufficient safeguards and procedures to prevent its officers, agents, and employees from granting or obtaining such unauthorized access.
  9. Upon information and belief, T-Mobile engaged in the acts alleged herein and/or condoned, permitted, authorized, and/or ratified the conduct of its officers, agents, and employees.
  10. As a direct consequence of T-Mobile’s negligent hiring, retention, control and supervision of its officers, agents, and employees, who enabled or obtained the unauthorized access to Claimant’s account, Claimant was damaged through the loss of his property, namely 4.13834669 Bitcoin, with a current estimated value in excess of $275,365.91.

FIFTH CAUSE OF ACTION: VIOLATIONS OF THE COMPUTER FRAUD AND ABUSE ACT

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. The CFAA governs those who intentionally access computers without authorization or who intentionally exceed authorized access, and as a result of such conduct cause damage and loss.
  3. As alleged herein, a SIM-swap attack requires the intentional access to customer computer data by T-Mobile which exceeds its authority, and which causes damage and loss. As such, T-Mobile is subject to the provisions of the CFAA.
  4. T-Mobile’s conduct, as alleged herein, constitutes a knowing violation of the CFAA.
  5. T-Mobile is also liable for the acts, omissions, and/or failures, as alleged herein, of any of its officers, employees, agents, or any other person acting for on behalf of T-Mobile.
  6. T-Mobile violated its duty under the CFAA by exceeding its authority to access the computer data and breach the confidentiality of the proprietary information of Claimant using, disclosing, or permitting access to Claimant’s CPNI without the consent, notice, and/or legal authorization of Claimant as required by the CFAA.
  7. Section 1030(g) of the CFAA provides, in pertinent part:

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brough under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage….

  1. Claimant alleges he has suffered damages which exceed the threshold of $5,000.00 as required by Section 1030(c)(4)(A)(i)(I) of the CFAA.
  2. Claimant alleges T-Mobile’s unlawful conduct has caused damage which exceeds approximately $275,365.91.
  3. Claimant has brought this claim within two (2) years of the date of discovery of the damage pursuant to Section 1030(g) of the CFAA.
  4. Claimant discovered damage on or about July 2021.
  5. Upon information and belief, T-Mobile’s conduct as alleged herein constitutes a violation of Section (a)(5)(A) of the CFAA.
  6. Upon information and belief, T-Mobile’s conduct as alleged herein may constitute a reckless violation of Section (a)(5)(B) of the CFAA.
  7. Upon information and belief, T-Mobile’s conduct as alleged herein may constitute an intentional violation of Section (a)(5)(C) of the CFAA.
  8. As a direct consequence of T-Mobile’s violations of the CFAA, Claimant has been damaged in an amount to be proven at trial but, upon information and belief, exceeds $275,365.91 plus fees and costs, including reasonable attorneys’ fees.

PRAYER FOR RELIEF

WHEREFORE Claimant demands a judgment against T-Mobile as follows:

  1. Enter judgment for Claimant on all counts
  2. Award compensatory damages to Claimant arising from T-Mobile’s negligence;
  3. Award statutory damages to Claimant for T-Mobile’s FCA violations;
  4. Award punitive damages to Claimant for T-Mobiles gross negligence and the conscious and reckless disregard of its customer’s data;
  5. Award statutory damages to Claimant for T-Mobile’s CFAA violations;
  6. Award Claimant costs and reasonable attorneys’ fees;
  7. Award Claimant prejudgment interest; and
  8. Award Claimant such other and further relief as this Court deems just, fair, and proper.

Refernces

 [1] See https://www.washingtonpost.com/technology/2021/08/19/t-mobile-data-breach-what-to-do/.

[2] See https://ca.movies.yahoo.com/t-mobile-sim-swapping-data-breach-190612616.html.

[3] See https://www.law360.com/articles/1429370/t-mobile-called-to-court-for-sim-swap-schemes .

[4] See https://www.coindesk.com/markets/2020/07/23/veritaseum-accuses-t-mobile-of-gross-negligence-over-86m-sim-swap-hack/.

[5] See https://nypost.com/2020/08/08/cryptocurrency-fraud-reginald-middleton-sues-t-mobile-for-phone-hack/.

[6] See https://www.wired.com/story/t-mobile-breach-much-worse-than-it-had-to-be/.

[7] See https://www.fox2detroit.com/news/tech-security-expert-warns-about-sim-card-scam-on-t-mobile-customers; https://www.click2houston.com/news/investigates/2021/11/16/kprc-2-investigates-phone-number-swap-scam-warning/.

[8] See https://www.vice.com/en/article/3azv4y/verizon-sim-swapping-hack-protection-number-lock.

This article is provided for your convenience and does not constitute legal advice. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

Other Resources

ALL ARTICLES

Our Founding Partner

/

Max Dilendorf

Max Dilendorf is an internationally recognized authority and pioneer in legal issues involving cryptocurrencies and blockchain technology.  Max is an early adopter who joined the blockchain industry in 2016. Max was named a 2018-22 New York Metro Super Lawyer in digital asset and cryptocurrency law practice. ...

Learn More
Max Dilendorf

Adam Pollock

Adam is one of the nation’s leading young whistleblower lawyers.  He brings with him a special ability not just to litigate, but to investigate – and understand – complex organizations and transactions.  His extensive familiarity with tech issues is built on a computer science degree and work as a ...

Learn More
Adam

Bari Zahn, Esq.

Bari Zahn has nearly 20 years of experience practicing at global law firms in New York. Bari has represented a broad array of multinational clients on U.S. and cross-border transactions. She has supervised legal teams worldwide and has extensive management experience as the Founder, former CEO and General ...

Learn More

Steve Cohen

Steve contributes extensive business and problem-solving experience to challenges that may require litigation – or may help avoid it.  Indeed, his perspective on litigation is influenced by his experience as a three-time internet start-up CEO.

Steve served on Ronald Reagan’s 1980 presidential campaign ...

Learn More
Steve

Pamela A. Fuller, Esq.

Pamela A. Fuller is a corporate and international tax attorney, with over two decades of experience.  She advises a wide range of clients–including private and public companies, joint ventures, private equity and hedge funds, C-Suite executives, private U.S and foreign individual clients, and government ...

Learn More

Ivanna Korniiuk

Ivanna has 7 years of law practice in Europe, namely in the field of corporate law, M&A transactions, banking and finance. As a senior associate, she advised local, EU, US and multinational clients with respect to their business activities in Ukraine.

Particularly, Ivanna, together with junior associates ...

Learn More
Ivanna

Robin Gerofsky Kaptzan, Esq.

A New York licensed attorney with three decades of legal and business experience in the U.S. and Asia, Robin recently joined the law firm as a partner and leads the Asia-Pacific practice.

While acting as an international business lawyer and global corporate general counsel, Robin is sought out by clients ...

Learn More

Julia Porynets

Julia joined Dilendorf Law Firm in 2021. She handles all aspects of firm administration while providing paralegal support and litigation management. Julia also has a broad base of knowledge in human resources and communications.

Prior to joining Dilendorf team, Julia worked as an administrative assistant ...

Learn More

Craig S. Redler

Craig S. Redler has held positions with Amicorp in its offices in Auckland New Zealand and Miami Florida, and Southpac Trust International, Inc. with offices in the Cook Islands and Tauranga New Zealand. His responsibilities included serving as Trustee for off-shore trusts settled by high net-worth clients ...

Learn More
Craig Redler

Sharon Kaye Mauer, Esq.

Sharon Kaye Mauer’s practice focuses trusts and estates and corporate law.

Sharon has practiced law for twenty year.   She helps navigate her clients through various aspects of estate planning, such as wills, trusts, probate and administration, powers of attorney, and health care proxies and ...

Learn More
Sharon Kaye Mauer, Esq.