T-Mobile Failed to Protect Customer Info, Says SIM Card Class Action
The Dec. 21 class action alleging T-Mobile failed to protect customers' information in a SIM card swap fraud (see 2211160016) was assigned to U.S. District Judge Lauren King for Western Washington in Seattle, whose Dec. 22 summons gave the defendant 21 days to answer the complaint (docket 2:22-cv-1805).
The complaint alleges T-Mobile’s “gross negligence” in protecting consumers’ data, its “negligent hiring and supervision” of employees responsible for safeguarding that information and its violations of the Federal Communications Act and Computer Fraud and Abuse Act, plus state laws designed to protect wireless service customers, resulted in the loss of millions of dollars for plaintiffs in the class action.
Plaintiffs have also been subjected to “repeated attacks” on their accounts that deprived them of access to their cellphones and exposed personal and financial information to thieves, said the complaint. Once a hacker has access to a phone number, they control text-based two-factor authentication checks designed to add a layer of protection to bank, social media and email accounts, it noted.
A SIM-swap is not an isolated criminal act by a third party but one that requires the wireless service provider to reassign a customer’s phone number from the SIM card in the customer’s phone to a card controlled by the third party, the complaint said, saying SIM swaps are "effectuated by the wireless service provider itself." T-Mobile's actions and failure to act demonstrate “reckless disregard” for plaintiffs’ rights and the carrier’s legal obligations, it said.
As a regulated wireless carrier, T-Mobile has a well-established duty, and one it promotes, to protect the security and privacy of customers’ confidential proprietary information and customer proprietary network information, the complaint noted. The carrier has been “on notice for years” that its security measures are inadequate, said the complaint.
Among the claims against T-Mobile are that it allowed porting out of phone numbers without confirming that the request came from legitimate phone numbers and that it failed to suspend user credentials after a certain number of unsuccessful access attempts. The carrier also failed to monitor its systems for the presence of unauthorized access in a way that would allow it to detect an intrusion, alleged the complaint. The class action seeks a judgment against T-Mobile for exemplary and punitive damages for its “knowing, willful and/or intentional conduct.”
Plaintiff Tara Bennett lost over $14,000 in funds or assets due to a SIM swap, and plaintiff Edward Polhill lost over $5,000, the complaint alleges. The class includes all current and former T-Mobile customers for whom the carrier transferred control of the customer’s phone number to a SIM card controlled by an unauthorized third party. The proposed class “is believed to be so numerous that joinder of all members is impracticable,” said the complaint, citing T-Mobile’s 100 million customers. The complaint numbered total class members "in the thousands, if not tens of thousands," of individuals.