California resident Michael Terpin, who is the co-founder of angel investing group BitAngels and BitAngels/Dapps Fund, has filed a $224 million lawsuit against his cell phone service provider AT&T. He is seeking $200 million in punitive damages and $24 million of compensatory damages for negligence.
Terpin alleges that AT&T cooperated with hackers and failed to adhere to its security procedures, resulting in the loss of $23.8 million in cryptocurrency.
The complaint was filed in the US District Court in Los Angeles.
The hackers used a technique called SIM swapping. It involves tricking a cell phone provider such as AT&T by impersonating the victim and requesting a new SIM card. Once scammers transfer the target’s phone number to a new SIM card, they can take control of all mobile accounts, including email accounts, bank accounts, crypto accounts, and entertainment accounts such as Spotify, Hulu and Netflix.
According to the complaint, “What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”
The complaint reads,
“AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”
Terpin alleges that his account was compromised twice within seven months. According to the complaint, an AT&T in-store employee cooperated with the hacker and failed to obtain valid identification or to provide a required password before initiating the SIM card swap.
“AT&T violated Section 222 of the FCA and the CPNI Rules and ignored the warning in the Pretexting Order on January 7, 2018 when its employees provided hackers with Mr. Terpin’s SIM cards containing or allowing access to Mr. Terpin’s personal information, including CPI and CPNI, without Mr. Terpin’s authorization or permission, and without requiring that the individual accessing Mr. Terpin’s account present valid identification or comply with AT&T’s own procedures.”
In an emailed statement provided to CNBC, AT&T said “we dispute these allegations and look forward to presenting our case in court.”