August 16, 2018 – Cryptocurrency investor Michael Terpin has filed a lawsuit against wireless provider AT&T for failing to prevent a fraudulent SIM swap, which Mr. Terpin alleges resulted in the loss of $24 million in cryptocurrency. The complaint was filed in U.S. District Court for the Central District of California.[1] Mr. Terpin alleges he fell victim to SIM swap fraud at the hands of criminals working directly with an AT&T employee.

What Exactly Is A SIM Swap?

A SIM card – subscriber identity module or subscriber identification module – is a small, removable chip in a mobile device that allows it to connect to a wireless provider’s network. A SIM swap occurs when a new SIM card is registered with a phone number – swap out the old SIM for the new. For example, if you lose your phone or buy a new one, your new phone will have a new SIM card, and your provider will link that SIM card to your existing phone number.

A fraudulent SIM swap occurs when criminals link a new SIM to a victim’s phone number, typically through the use of social engineering. Sometimes, however, criminals work with an employee of a wireless provider to make it happen. As was the case with the SIM swap that burned Mr. Terpin. Once the SIM swap has occurred, the victim’s phone dies and the criminals are then able to receive calls and texts made to the victim’s phone number. Moreover, the criminals are able to receive one-time codes that allow them to access or change the victim’s password, and ultimately gain access to the victim’s online accounts, such as email, banking, and cryptocurrency accounts. As Mr. Terpin explains in his complaint, “SIM swapping consists of tricking a provider . . . into transferring the target’s phone number to a SIM card controlled by the criminal. Once they get the phone number, fraudsters can leverage it to reset the victims’ passwords and break into their online accounts.”[2]

So What Happened?

In June 2017, Terpin was the victim of a SIM swap. Criminals took control of Terpin’s telephone number, allowing them to divert text messages and phone calls, and ultimately gain access to Mr. Terpin’s cryptocurrency accounts. According to the complaint, the hackers also used the phone to hijack Mr. Terpin’s Skype account. They then impersonated him and convinced a client of Mr. Terpin to send cryptocurrency, which they diverted to themselves.[3]

Thereafter, AT&T placed Mr. Terpin’s account on a “higher security level” with “special protection.” This meant that anyone requesting AT&T to transfer Terpin’s telephone number to another SIM card would be required to first provide a six-digit passcode to AT&T. This type of security measure is sometimes referred to as “celebrity” protection. Unfortunately, this was not enough to protect his account.

In January 2018, Mr. Terpin was the victim of another fraudulent SIM swap. This time, though, the criminals were assisted by an AT&T employee working in an AT&T store in Norwich, Connecticut.[4] The criminals “gained control over Mr. Terpin’s accounts and stole nearly $24 million worth of cryptocurrency from him on January 7 and 8, 2018.”[5]

Terpin’s Complaint

Mr. Terpin’s complaint alleges the following 16 claims:

• Claim 1: Declaratory relief under 28 U.S.C. § 2201 to have the Court declare that AT&T’s wireless customer agreement (the “Agreement”) is unconscionable, void against public policy under Cal. Civ. Code §§ 1670.5 and 1668, and unenforceable in its entirety

• Claim 2: Unauthorized disclosure of customer confidential proprietary information and proprietary network information in violation of the Communications Act.

• Claim 3: Assisting unlawful access to a computer in violation of California Penal Code § 502

• Claim 4: Engaging in an unlawful business practice and violation of California’s unfair competition law

• Claim 5: Engaging in an unfair business practice in violation of California’s unfair competition law

• Claim 6: Engaging in a fraudulent business practice in violation of California’s unfair competition law

• Claim 7: Violation of California’s consumer legal remedies act

• Claim 8: Deceit by concealment in violation of California Civil Code Section1709 and 1710

• Claim 9: Misrepresentation

• Claim 10: Negligence

• Claim 11: Negligent supervision and training

• Claim 12: Negligent hiring

• Claim 13: Breach of contract with respect to the privacy policy

• Claim 14: Breach of implied contracts in the alternative to a claim for breach of express contract

• Claim 15: Breach of the covenant of good faith and fair dealing

• Claim 16: Violation of California’s Customer Records Act because of inadequate security in violation of California Civil Code Section 1798.81.5

As for relief, Mr. Terpin is seeking (1) compensatory damages of no less than $24 million; (2) exemplary and punitive damages in an amount not greater than nine times the amount of general and special damages awarded ($216 million); (3) preliminary and permanent injunctive relief enjoining and restraining AT&T from continuing to engage in unfair competition, unfair practices, violation of privacy, and other actions; (4) declaration that AT&T’s wireless customer agreement, in its entirety, is unenforceable as unconscionable and against public policy or, in the alternative, that (a) the exculpatory provision is unenforceable as against Mr. Terpin; (b) the damages resolution is unenforceable against Mr. Terpin; and (c) the indemnity is unenforceable against Mr. Terpin; (5) attorney’s fees; (6) restitution, disgorgement of wrongfully obtained profits and injunctive relief pursuant to California Unfair Competition Law; (7) declaration that AT&T’s conduct violated the California Legal Remedies Act; and (8) interest and costs of the suit and such other and further relief as the Court deems just and proper. Yikes!

**********

[1] Terpin v. AT&T Mobility LLC, Case No. 2:18-cv-06975-ODW-KS, Complaint, U.S. District Court for the Central District of California (Aug. 15, 2018) (Complaint).

[2] Complaint at ¶53.

[3] Complaint at ¶65.

[4] Complaint at ¶72.

[5] Complaint at ¶72.