Communications Litigation Today was a Warren News publication.
'Take-It-or-Leave-It'

AT&T Customer Agreement 'Unenforceable,' Says SIM Swap Plaintiff

AT&T’s customer agreement is “unconscionable, void against public policy and unenforceable in its entirety,” said a Monday fraud complaint seeking declaratory judgment (docket 6:23-cv-120) in U.S. District Court for Middle Florida in Orlando. The agreement has “complete waivers and exculpatory language insulating AT&T from its own negligence in carrying out the duties required under federal and state law,” said the SIM card swap complaint.

AT&T employees or agents obtained “unauthorized access” to a customer account, viewed private personal information and transferred control over the account to a phone controlled by a third-party hacker, alleged plaintiff Al Weiss of Orange County, Florida, claiming “hundreds of thousands of dollars” in damages after the hacker hijacked his phone number in a SIM card swap.

The plaintiff had no ability to negotiate any terms of the customer agreement, which was presented on a “take-it-or-leave-it basis,” the complaint said. The agreement incorporates other documents that can be accessed online, meaning it can be “changed at any time and thus unknown” to the plaintiff at the time it’s changed, it said.

The agreement’s disclaimer and limitations provisions are “invalid” because they allocate all risks to the consumer, with AT&T “disclaiming any damages for its own conduct -- even fraud, gross negligence, and statutory violations” covered by the False Claims Act, it said. The agreement would allow AT&T “knowingly and willfully to allow SIM card theft (and the unauthorized disclosure of a customer's [private information] to hackers), in violation of the FCA, but the customer would not be entitled to the full range of damages afforded under the FCA,” it said.

AT&T doesn’t have the requisite protective measures in place to protect its customers because it allows employees and its agents to conduct SIM card changes remotely and in person “without adequate protections against unauthorized SIM swaps,” alleged the plaintiff. Hackers can perform a SIM card swap by calling a carrier’s customer support number or visiting a store and saying they have a new phone that needs to be activated. The carrier’s employee is legally required to verify the legitimacy of the request, said the complaint, noting the strength of the carrier’s internal controls and safeguards is “critical to the protection of its customers’ data.”

A hacker can initiate an unauthorized SIM swap simply by using a carrier’s self-service portal and logging into the portal using a username or password, or an unauthorized swap can be made through the active assistance of a carrier employee, the complaint said. A hacker can also access an employee’s tablet or other mobile device used to access customers’ personal information, it said. Once hackers have control over the contents of a customer’s online account, they can intercept calls and messages, impersonate the AT&T customer and do denial of service attacks, said the complaint.

The involvement of the carrier is “critical to an unauthorized SIM swap,” and SIM card theft instances have been “widely known” to carriers since 2016, the complaint said. AT&T has issued “many public statements” assuring customers it was taking adequate measures to prevent unauthorized SIM swapping,” but it failed to protect the plaintiff and “thousands” of other customers, said the complaint.

The suit also alleges violation of the Federal Communications Act, negligence, negligent training and supervision, and violation of Florida’s Deceptive and Unfair Trade Practices Act. The plaintiff seeks an award of damages, interest, attorneys’ fees and legal costs.