AT&T customer lawsuit alleges employee-aided SIM swap led to $1.8 million theft of cryptocurrency and more

Stephen Palley

Shapiro v. AT & T Mobility, LLC, Case №2:19-cv-8972 (C.D. Cal. filed October 17, 2019)[NMR/SDP]

Link to Complaint

SIM swapping is a problem that many in crypto have unfortunately had to face, some multiple times.  If you're at all prominent in the space -- and even if you're not -- your phone number is liable to be SIM swapped (ported from your device to another.)  This particular case doesn’t necessarily involve someone well known on "crypto twitter", but it does involve the alleged theft of $1.8 million of money including crypto.  

A large number of SIM swap cases have been resolved in private arbitration, in part because of arbitration clauses that mobile carriers include in their user agreements. This case is one a few that have been publicly filed, and the allegations are alarming -- including a claim that AT&T insiders were deeply involved in what sounds like a devastating SIM swapping scheme. 

The plaintiff is Seth Shapiro, a resident of California. The Complaint says that Mr. Shapiro is a “a two-time Emmy Award-winning media and technology expert, author, and adjunct professor at the University of Southern California School of Cinematic Arts.” He also was, at the relevant times for the lawsuit, a subscriber of AT&T. AT&T “is the second largest wireless carrier in the United States, with more than 153 million subscribers, earning $71 billion in total operating revenues in 2017 and $71 billion in 2018.”

The gist of the case is that Shapiro alleges AT&T failed to protect his account from a SIM swap that resulted in a major loss of cryptocurrency. What specifically happened?  According to the complaint:

On at least four occasions between May 16, 2018 and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro’s AT&T wireless number from Mr. Shapiro’s phone to a phone controlled by third-party hackers in exchange for money.

As if the preceding allegations weren’t bad enough, the end result was:

The hackers then utilized their control over Mr. Shapiro’s AT&T wireless number — including control secured through cooperation with AT&T employees — to access his personal and digital finance accounts and steal more than $1.8 million from Mr. Shapiro.

Even worse, the scheme allegedly involved AT&T employees working on the inside with outside hackers. And, unsurprisingly, there are chat logs:

At the end of the chat, a group member brags that they “made 1.3 [million]” and they begin plotting about how to route the stolen cryptocurrency through various accounts and currencies in order to cover their trail. They also brag about plans to “buy some Gucci” or a “dream car” with the money they stole from Mr. Shapiro.

Apparently, Mr. Shapiro was in fact SIM-swapped multiple times, and all of his personal information was taken along with access to other accounts such as Google, and Evernote. Furthermore, Mr. Shapiro’s family was impacted, and he was threatened. It sounds awful. Despite this, after each incident, AT&T allegedly said they followed proper procedures and alerted necessary authorities, but as the complaint states, “Mr. Shapiro’s trust in AT&T was misplaced.”

So, What is Shapiro actually suing for; in other words, what is the cause of action?

One header in the lawsuit summarizes the nature of the action: “AT&T’s Repeated Failures to Protect Mr. Shapiro’s Account from Unauthorized Access Are a Violation of Federal Law.” The argument alleges that AT&T is fully aware that the information they hold in trust for their subscribers is highly sensitive and extremely valuable. Mr. Shapiro is arguing that AT&T knows this to be the case, yet the company has failed in a variety of ways to take the necessary steps to protect their subscriber’s information. 

Specifically, Shapiro has alleged violations of federal and state laws, in addition to common law torts. This includes (1) an alleged violation of the Federal Communications act for allegedly failing to protect confidentiality of his account information, (2) an alleged violation of the California state unfair business practices statute, (3) an alleged violation of the California state constitution's right to privacy, (4) two negligence claims, (5) an alleged violation of California Consumer's Legal Remedies Act and (6) a violation of the Federal Consumer Fraud and Abuse Act.  He seeks actual and punitive damages and injunctive relief. 

These statutory claims are creative. They may be a tactic to try to get around AT&T's arbitration agreement in its terms of service. The allegations in the complaint, if true, are really awful and seem calculated to give a court good reason to let these claims be litigated openly.

At the same time, it is somewhat inexplicable that the plaintiff maintained his service with AT&T after multiple hacks, as so many other alleged victims also fail to do. Additionally, he apparently didn't switch from using his phone for two-factor authentication to apps or change to a new phone number. Those facts may or may not be relevant. We don't know. 

Anyway, this is obviously a suit between two highly motivated parties. Mr. Shapiro has apparently been through the wringer. AT&T definitely doesn’t want to lose this high profile case given the recent prevalence of the SIM swap + cryptocurrency theft problem. The company will likely face nasty PR and further questions about its employee oversight and practices if the allegations in the lawsuit prove to be true.

And it would be extremely problematic for AT&T if a court said its customers had a constitutional right of privacy that a telco could violate by allowing unauthorized account transfer.  

This is an extremely interesting complaint, it is well crafted, and it is one that we will be watching closely.

Shapiro SIM Swap Case by Anonymous XdelME on Scribd