Communications Litigation Today was a Warren News publication.
SIM Card Swapped

Customer Sues T-Mobile Dealer After Losing $280K in Cryptocurrency

Metro by T-Mobile’s “intentional participation” in a SIM card swap scheme, or its “recklessness and gross negligence” in failing to adequately protect employee credentials and a customer’s personal identifying information, led the customer to lose $280,000 worth of cryptocurrency due to identity theft, said a complaint (docket 2:23-cv-22) in U.S. District Court for Middle Florida in Fort Myers Wednesday.

Plaintiff William Rose of Mansfield, Massachusetts, alleged that a representative of Metro by T-Mobile authorized dealer Cellular Touch Wireless, Fort Myers, bypassed Metro by T-Mobile’s security protocols and transferred to an unauthorized person Rose’s cellular phone number after disconnecting the number from Rose’s phone’s SIM card. The unauthorized person then connected the phone number to a SIM card under his or her control, the complaint alleged.

The plaintiff, who didn't authorize the transfer, was in Ames, Iowa, Aug. 13, 2021, “thousands of miles away from Fort Myers” when the SIM card transfer was processed, alleged the complaint. He suffered identity theft and loss of control over his SIM card and cellphone number, plus a hack into his bank account and theft of cryptocurrency from his wallet at MyEtherWallet, said the complaint. “John Doe” withdrew about 1,800 Quant from the wallet Aug. 14, it said, with value calculated using market data compiled by CoinMarketCap.com.

The International Mobile Equipment Identity used by the thief with whom the defendant coordinated the unauthorized transfer of Rose’s SIM card was used in numerous other SIM swaps about the same time as Rose’s, alleged the complaint. That demonstrated that “Plaintiff’s harm was not an isolated incident and should have been flagged in, and prevented by, Cellular Touch’s and Metro by T-Mobile’s security systems,” said the complaint.

The plaintiff quoted Metro by T-Mobile marketing materials saying the company has measures to ensure its interactions with customers are with them and “not with others pretending to be you or claiming a right to access your information.” Though marketing materials say their policy is to not release account-specific information if requested by the customer, authorized dealer stores “often fail to provide reasonable and appropriate security to prevent unauthorized access to customer accounts,” the complaint said.

The complaint alleges the defendant was aware its security systems and internal software platform contained “significant holes and weaknesses” that allowed unchecked security bypasses and allowed unauthorized actors to enter the system and gain control of customer accounts and information” but didn’t take adequate actions to address them.

Over the past three years, plaintiff’s counsel, Silver Miller, has represented nearly 300 victims of unauthorized SIM swapping across the country whose individual cryptocurrency losses have ranged between $3,000 and $12.5 million, the complaint said.

The complaint’s claims include breach of the Federal Communications Act by not protecting the plaintiff’s proprietary information, violation of the Computer Fraud and Abuse Act and the Florida Computer Crimes Act for “aiding and abetting authorized access to a protected computer to obtain information” with intent to defraud, and negligence for not exercising “reasonable care” in protecting plaintiff’s personal information. It also claimed negligent training and supervision and civil conspiracy. Plaintiff seeks equitable restitution, including return of all cryptocurrency or fiat currency taken from him, plus costs and attorneys’ expenses. Cellular Touch didn’t comment Thursday.