Can AT&T be held liable for identity theft resulting from SIM swapping?
In June 2017, Michael Terpin, a prominent cryptocurrency trader from Puerto Rico, turned on his cell phone and found it didn’t work. Apparently, hackers had gone to various AT&T retail stores and tried to change his password almost a dozen times. After failing that, they were able to change the password remotely, take control of his phone number with a SIM swap, divert his calls and texts messages and other information, and engage in identity theft. Once the hackers “became” Terpin, they convinced others to send cryptocurrency to the Terpin doppelganger, which they then were able to use themselves. AT&T cut off the hackers’ access and, at the request of the real Terpin, agreed to elevate his security by requiring a special PIN and validation to change any of the network or account settings. Yeah, right.
Some months later, a hacker went into an AT&T store in Norwich, Connecticut, and bribed an AT&T employee named “Jahmil Smith ” to swap Terpin’s SIM settings to their phone—again allowing the hackers to “become” Terpin. The new Terpin doppelganger was able to reset passwords and steal SMS messages (the two bases for 2FA) and steal $24 million in cryptocurrency.
In August 2018, Terpin sued in federal court in Los Angeles (he owns a home in L.A.), not the unknown hackers, but AT&T. Terpin v. AT&T, (C.D. Ca, Dkt. No. 2:18-cv-06975-ODW-KS). He asked for compensation for the $24 million he lost and for punitive damages totaling $240 million. On Feb. 24, Judge Otis Wright II allowed the bulk of Terpin’s claims to go forward, mostly dismissing AT&T’s motion for summary judgment. This establishes a precedent that, at least in some cases, even when the carrier mandates that all disputes be arbitrated and where it expressly tells customers that it doesn’t guarantee that their information will not be shared, carriers can be liable when they permit their customer data to be hacked.
The court held that Terpin had sufficiently pleaded that the SIM swap compromised 2FA and likely lead to the theft of the cryptocurrency and that he had established a “special relationship” between himself and AT&T to warrant a trial on whether AT&T owed “economic damages” for negligence or breach of contract. In particular, the court noted the express and implied promise by AT&T that it would protect Terpin’s data, noting that while “the contract entered into between the parties related only to mobile telephone services, Mr. Terpin was required to share his personal information with AT&T with the understanding that AT&T would adequately protect it, including the SIM card linked to his telephone number and personal data.” The court described this as an “exchange of personal information based on a promise of safekeeping.”
On the other hand, the court noted that Terpin did not assert that AT&T had an affirmative duty to tell people about the SIM swapping and related vulnerabilities and that the assertion that AT&T defrauded him by “concealing” this fact failed as a matter of law. The court observed that the consumer contract between him and AT&T contained language in which AT&T told customers that it “cannot guarantee that your Personal Information will never be disclosed in a manner inconsistent with [AT&T’s] Policy (for example, as the result of unauthorized acts by third parties that violate the law or this Policy).” In other words, well, we told you there might be a data breach or other attack on your information, so you were warned.
So it was a partial victory for both sides, but mostly for Terpin, who gets to pursue the case. The message for consumers appears to be that you are warned that SIM swapping is a problem, that it potentially compromises many types of 2FA and that anyone can become you—well, at least on the phone. If more people continue to lose more money and carriers are held liable, then maybe we can expect some technological countermeasures. Until then, watch this space.