Communications Litigation Today was a Warren News publication.
Thieves 'Living Large'

Apple User Sues to Recover AppleID Access After His Account Was Hacked

An Apple customer sued the company to retrieve 20 years’ worth of private and personal data after losing all access to his AppleID due to “a series of unfortunate events,” according to the customer's complaint Friday (docket 24-cv-433194) in Santa Clara County Superior Court.

Plaintiff David Yang’s iPhone 15 was stolen Feb. 24 while he was visiting New York, the complaint said. By the time the Los Angeles resident returned to his hotel and attempted to use his MacBook Pro to erase data on his phone using Apple’s Find My app, thieves had "hacked into his phone and changed his Apple ID password," said the complaint. They also changed his trusted number contact, it said. Yang took his MacBook to an Apple store to try to reset his password; employees instructed him to call Apple Support from the store.

Apple Support informed Yang “it was too late,” said the complaint. After hacking his phone and resetting his AppleID password, thieves had access to Yang’s Apple account, private and personal data, Social Security number, passport data, credit cards, bank and brokerage accounts, and every website user ID and password Yang had saved in the iCloud Key Chain, including work files, tax returns, photos and music, it said.

Yang stopped practicing law a few years ago to launch “entrepreneurial projects,” said the complaint. Ironically, as a lawyer, he drafted patent applications for the iPhone in 2003, and represented Apple in “numerous patent litigation matters,” the complaint said. In addition to lost personal information, his phone had information associated with a business identity Yang had registered with the Apple development program to create an app on the Apple Store, the complaint said. Because he had begun the process of gaining Apple’s approval to put his app on the App Store using his AppleID, the company would not allow him to continue that process with a new AppleID since the employee identification number of the business entity is “locked with the stolen AppleID,” it said.

With the loss of his AppleID and iCloud content, Yang’s App Knowledge Base, and all the related tools, development efforts and products related to his company “cannot be offered on the Apple Store without having to wind down his existing corporation (which includes other shareholders besides Mr. Yang himself), start a new business entity, transfer all IP and technology to the new corporation, and repeat all of the development registration process,” said the complaint.

The thieves, meanwhile, were “living large” using Yang's phone as an ATM, said the complaint. They sent $1,000 from Yang’s checking account to a used car dealer in New Jersey via Zelle, it said. In addition, they opened an Apple credit card, spent $6,141 on it and took a 3.5-hour Uber ride in New York for $397.79, it said. They also took $5,000 from his PayPal and $2,000 from his Venmo accounts, it said.

Upon returning to Los Angeles, Yang filed an identity theft report with the FTC, a police report, and an account recovery request with Apple; the thieves canceled the Apple account recovery request, the complaint said. Yang sent 24 emails to Apple from Feb. 25-March 13 and has “exhausted all possibilities that Apple might provide meaningful assistance in recovering his AppleID and his iCloud data,” the complaint said.

Though Yang is able to provide Apple with “all the information needed” to verify his identity and that the information he seeks is actually his, “Apple flatly refuses to provide” him access to his Apple account and iCloud data, the complaint said. Instead, Apple continues to provide identity thieves with “unfettered access” and the ability to “steal user data, funds, accounts and to create false and fraudulent accounts using Yang’s identity,” it said.

With “unmitigated access” to Yang’s stolen phone, passcode and recovery key, identity thieves can steal money via Apple Pay and other banking apps, view email and photos, including photos of Yang’s children, and “harvest data" from iCloud that can "create fraudulent new accounts in the name of the user and essentially hijack one’s entire digital life,” the complaint said.

Apple recently added a “stolen device protection” option in the latest iPhone operating system update with features designed to impede identity thieves, said the complaint. The features “may substantially reduce the number of victims of iPhone theft who are then permanently locked out of their Apple accounts and iCloud data,” but some Apple customers “are still going to need Apple’s help to recover their accounts and data,” it said.

Yang’s complaint requests that Apple promptly allow him to verify his identity and rightful ownership of his AppleID. That will let Yang “regain access to and sole dominion over his Apple account and iCloud data," log out unauthorized devices on his AppleID, erase his stolen phone and investigate whether his iCloud data was downloaded to other Apple devices “and, if so, erase it,” it said. Causes of action are conversion, violation of California civil and business codes and its Customer Records Act. In addition, Yang seeks an award of all direct, incidental and consequential damages in an amount equal to $1, plus attorneys’ fees and costs. Apple didn’t comment Monday.