throbber
Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 1 of 58 Page ID #:1
`
`
`
`
`
`
`
`PIERCE BAINBRIDGE BECK PRICE
`& HECHT LLP
`Thomas D. Warren (State Bar No. 160921)
`twarren@piercebainbridge.com
`Andrew Calderón (State Bar No. 316673)
`acalderon@piercebainbridge.com
`355 S. Grand Avenue, 44th Floor
`Los Angeles, CA 90071
`Telephone: (213) 262-9333
`Facsimile: (213) 279-2008
`
`Dwayne D. Sam (pro hac
`application forthcoming)
`dsam@piercebainbridge.com
`600 Pennsylvania Avenue NW
`South Tower, Suite 700
`Washington, DC 20004
`Telephone: (202) 843-8342
`Facsimile: (646) 968-4125
`
`Counsel for Plaintiff Seth Shapiro
`
`
`
`THE UNITED STATES DISTRICT COURT
`FOR THE CENTRAL DISTRICT OF CALIFORNIA
`
`
`
`
`SETH SHAPIRO,
`Plaintiff,
`
`v.
`AT&T MOBILITY, LLC,
`Defendant.
`
`
`
`
`
`
` Case No. 2:19-cv-8972
`
`CIVIL COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`
`
`
`
`
`
`
`
`
`
`
`
`CIVIL COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 2 of 58 Page ID #:2
`
`
`I. NATURE OF THE ACTION
`This action arises out of AT&T’s repeated failure to protect its
`1.
`wireless cell service subscriber—Seth Shapiro—from its own employees, resulting
`in massive and ongoing violations of Mr. Shapiro’s privacy, the compromise of his
`highly sensitive personal and financial information, and the theft of more than $1.8
`million.
`AT&T is the country’s largest wireless service provider. Tens of
`2.
`millions of subscribers entrust AT&T with access to their confidential information,
`including information that can serve as a key to unlock subscribers’ highly
`sensitive personal and financial information.
`Recognizing the harms that arise when wireless subscribers’ personal
`3.
`information is accessed, disclosed, or used without their consent, federal and state
`laws require AT&T to protect this sensitive information.
`AT&T also recognizes the sensitivity of this data, and promises its
`4.
`subscribers that it “will protect [customers’] privacy and keep [their] personal
`information safe” and that it “will not sell [customers’] personal information to
`anyone, for any purpose. Period.” AT&T repeatedly broke these promises.
`In an egregious violation of the law and its own promises, and despite
`5.
`advertising itself as a leader in technological development and as a cyber security-
`savvy company, AT&T repeatedly failed to protect Mr. Shapiro’s account and the
`sensitive data it contained. AT&T failed to implement sufficient data security
`systems and procedures and failed to supervise its own personnel, instead standing
`by as its employees used their position at the company to gain unauthorized access
`to Mr. Shapiro’s account in order to rob, extort, and threaten him in exchange for
`money.
`AT&T’s actions and conduct were a substantial factor in causing
`6.
`significant financial and emotional harm to Mr. Shapiro and his family. But for
`
`
`
`– 1 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 3 of 58 Page ID #:3
`
`
`AT&T employees’ involvement in a conspiracy to rob Mr. Shapiro, and AT&T’s
`failure to protect Mr. Shapiro from such harm through adequate security and
`oversight systems and procedures, Mr. Shapiro would not have had his personal
`privacy repeatedly violated and would not have been a victim of SIM swap theft.
`7. Mr. Shapiro brings this action to hold AT&T accountable for its
`violations of federal and state law, and to recover for the grave financial and
`personal harm suffered by Mr. Shapiro and his family as a direct result of AT&T’s
`acts and omissions, as detailed herein.
`II. THE PARTIES
`Plaintiff Seth Shapiro is, and at all relevant times was, a resident of
`8.
`California. Mr. Shapiro currently resides in Torrance, CA, with his wife and two
`young children.
`9. Mr. Shapiro is a two-time Emmy Award-winning media and
`technology expert, author, and adjunct professor at the University of Southern
`California School of Cinematic Arts. He regularly advises Fortune 500 companies
`on business development in media and technology. Mr. Shapiro was also an early
`investor in digital currencies.
`10. Mr. Shapiro is a former AT&T wireless customer. He purchased a
`wireless cell phone plan from AT&T in Los Angeles, California in approximately
`2006 for personal use and was an active, paying AT&T wireless subscriber at all
`times relevant to the allegations in this Complaint.
`11. Defendant AT&T Mobility, LLC (hereinafter, “AT&T”) is a Delaware
`limited liability corporation with its principal office or place of business in
`Brookhaven, Georgia. AT&T “provides nationwide wireless services to consumers
`and wholesale and resale wireless subscribers located in the United States or U.S.
`territories” and transacts or has transacted business in this District and throughout
`the United States. It is the second largest wireless carrier in the United States, with
`
`
`
`– 2 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 4 of 58 Page ID #:4
`
`
`more than 153 million subscribers, earning $71 billion in total operating revenues
`in 2017 and $71 billion in 2018. As of December 2017, AT&T had 1,470 retail
`locations in California.1
`12. AT&T provides wireless service to subscribers in the United States.
`AT&T is a “common carrier” governed by the Federal Communications Act
`(“FCA”), 47 U.S.C. § 151 et seq. AT&T is regulated by the Federal
`Communications Commission (“FCC”) for its acts and practices, including those
`occurring in this District.
`13. AT&T Inc., AT&T’s parent company, acknowledged in its 2018
`Annual Report that its “profits and cash flow are largely driven by [its] Mobility
`business” and “nearly half of [the] company’s EBITDA (earnings before interest,
`taxes, depreciation and amortization) come from Mobility.”2
`14. Despite the importance of its mobility business, instead of focusing on
`providing ramping up security for their customers, AT&T Inc. has gone on a
`buying spree costing over $150 billion, acquiring: Bell South (including Cingular
`Wireless and Yellowpages.com), Dobson Communications, Edge Wireless,
`Cellular One, Centennial, Wayport, Qualcomm Spectrum, Leap Wireless, DirecTV,
`and Iusacell and NII Holdings (now AT&T Mexico). During the same period,
`AT&T’s mobile phone business was rated as the worst among major providers.
`Consumer Reports named it the “worst carrier” in 2010, and the next year, J.D.
`Power found AT&T’s network the least reliable in the country—a dubious
`achievement that it also earned in prior years. Little wonder that its customers
`were the least happy of subscribers of the Big Four carriers according to the
`American Consumer Index. In the meantime, AT&T Inc. has purchased for a total
`equity value of $85.4 billion Time Warner Inc.—the owner of HBO, Warner Bros,
`
`
`1 “About Us,” AT&T, available at https://engage.att.com/california/about-us/. All URLs in this
`complaint were last accessed on October 15, 2019.
`2 Id.
`
`
`
`– 3 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 5 of 58 Page ID #:5
`
`
`CNN, Turner Broadcasting, Cartoon Network, Turner Classic Movies, TBS, TNT
`and Turner Sports.
`JURISDICTION AND VENUE
`III.
`15. This Court has jurisdiction over this matter under 28 U.S.C. § 1331
`because this case arises under federal question jurisdiction under the Federal
`Communications Act (“FCA”). The Court has supplemental jurisdiction under 28
`U.S.C. § 1367 over the state law claims because the claims are derived from a
`common nucleus of operative facts. The Court also has jurisdiction over this
`action pursuant to 28 U.S.C. § 1332 because Mr. Shapiro is a citizen of a different
`state than AT&T.
`16. This Court has personal jurisdiction over AT&T because AT&T
`purposefully directs its conduct at California, transacts substantial business in
`California (including in this District), has substantial aggregate contacts with
`California (including in this District), engaged and is engaging in conduct that has
`and had a direct, substantial, reasonably foreseeable, and intended effect of causing
`injury to persons in California (including in this District), and purposely avails
`itself of the laws of California. AT&T had more than 33,000 employees in
`California as of 2017, and 1,470 retail locations in the state.3 Mr. Shapiro
`purchased his AT&T wireless plan in California, visited AT&T retail locations in
`California, and was injured in California by the acts and omissions alleged herein.
`In accordance with 28 U.S.C. § 1391, venue is proper in this District
`17.
`because a substantial part of the conduct giving rise to Mr. Shapiro’s claims
`occurred in this District and Defendant transacts business in this District. Mr.
`Shapiro purchased his AT&T wireless plan in this District and was harmed in this
`District, where he resides, by AT&T’s acts and omissions, as detailed herein.
`IV. ALLEGATIONS APPLICABLE TO ALL COUNTS
`
`
`3 “About Us,” AT&T California, supra at 1.
`– 4 –
`COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 6 of 58 Page ID #:6
`
`
`18. As a telecommunications carrier, AT&T is entrusted with the sensitive
`wireless account information and personal data of millions of Americans, including
`Mr. Shapiro’s confidential and sensitive personal and account information.
`19. Despite its representations to its customers and its obligations under
`the law, AT&T has failed to protect Mr. Shapiro’s confidential information. On at
`least four occasions between May 16, 2018 and May 18, 2019, AT&T employees
`obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his
`confidential and proprietary personal information, and transferred control over Mr.
`Shapiro’s AT&T wireless number from Mr. Shapiro’s phone to a phone controlled
`by third-party hackers in exchange for money. The hackers then utilized their
`control over Mr. Shapiro’s AT&T wireless number—including control secured
`through cooperation with AT&T employees—to access his personal and digital
`finance accounts and steal more than $1.8 million from Mr. Shapiro.
`20. This type of telecommunications account hacking behavior is known
`as “SIM swapping.”
`SIM Swapping is a Type of Identity Theft Involving the Transfer
`A.
`of a Mobile Phone Number.
`21. On four occasions in 2018 and 2019, Mr. Shapiro was the target of
`“SIM swapping.”
`“SIM swapping” refers to a relatively simple scheme, wherein third
`22.
`parties take control of a victim’s wireless phone number. The hackers then use that
`phone number as a key to access the victim’s digital accounts, such as email, file
`storage, and financial accounts.
`23. Most cell phones, including the iPhone owned by Mr. Shapiro at the
`time of his SIM swaps, have internal SIM (“subscriber identity module”) cards. A
`SIM card is a small, removable chip that allows a cell phone to communicate with
`the wireless carrier and the carrier to know what subscriber account is associated
`with that phone. The connection between the phone and the SIM card is made
`– 5 –
`COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 7 of 58 Page ID #:7
`
`
`through the carrier, which associates each SIM card with the physical phone’s
`IMEI (“international mobile equipment identity”), which is akin to the phone’s
`serial number. Without a working SIM card and effective SIM connection, a phone
`typically cannot send or receive calls or text messages over the carrier network.
`SIM cards can also store a limited amount of account data, including contacts, text
`messages, and carrier information, and that data can help identify the subscriber.
`24. The SIM card associated with a wireless phone can be changed. If a
`carrier customer buys a new phone that requires a different sized SIM card, for
`example, the customer can associate his or her account with a new SIM card and
`the new phone’s IMEI by working with their cell phone carrier to effectuate the
`change. This allows carrier customers to move their wireless number from one cell
`phone to another and to continue accessing the carrier network when they switch
`cell phones. For a SIM card change to be effective, the carrier must authenticate
`the request and actualize the change. AT&T allows its employees to conduct SIM
`card changes for its customers remotely or in its retail stores.
`25. A SIM swap refers to an unauthorized and illegitimate SIM card
`change. During a SIM swap attack, the SIM card associated with the victim’s
`wireless account is switched from the victim’s phone to a phone controlled by a
`third party. This effectively moves the victim’s wireless phone—including any
`incoming data, texts, and phone calls associated with the victim’s phone—from
`their phone to a phone controlled by the third party (also referred to herein as a
`“hacker”). The hacker’s phone then becomes the phone associated with the
`victim’s carrier account, and the hacker receives all of the text messages and phone
`calls intended for the victim.4 Meanwhile, the victim’s phone loses its connection
`to the carrier network.
`
`4 As described by federal authorities in prosecuting SIM swap cases, SIM swapping enables
`hackers to “gain control of a victim’s mobile phone number by linking that number to a
`subscriber identity module (‘SIM’) card controlled by [the hackers]—resulting in the victim’s
`
`
`
`
`– 6 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 8 of 58 Page ID #:8
`
`
`26. Once hackers have control over the victim’s phone number, they can
`use that control to access the victim’s personal online accounts, such as email and
`banking accounts, through exploiting password reset links sent via text message to
`the now-hacker-controlled-phone or the two-factor authentication processes
`associated with the victim’s digital accounts. Two-factor authentication allows
`digital accounts to be accessed without a password, or allows the account password
`to be changed. One common form of two-factor authentication is through text
`messaging. Rather than enter a password, the hacker requests that a password reset
`be sent to the mobile phone number associated with the account. Because the
`hacker now controls that phone number, the reset code is sent to them. The hacker
`can then log into, and change the password for, the victim’s account, allowing
`them to access the contents of the account.5
`27. The involvement of a SIM swap victim’s wireless carrier is critical to
`an effective SIM swap. In order for a SIM swap to occur and for a SIM swap
`victim to be at any risk, the carrier must receive a request to change a victim’s SIM
`card and effectuate the transfer of the victim’s phone number from one SIM card to
`another.
`In Mr. Shapiro’s case, not only did AT&T employees access his
`28.
`account and authorize changes to that account without Mr. Shapiro’s consent, but
`its employees actively profited from this unauthorized access by knowingly giving
`control over his phone number to hackers for the purposes of robbing him.
`
`
`phone calls and short message service (‘SMS’) messages being routed to a device controlled by
`[a hacker].” United States of America v. Conor Freeman, et al., No. 2:19-cr-20246-DPH-APP
`(E.D. Mich. Filed Apr. 18, 2019) (hereafter, “Freeman Indictment”), ECF. No. 1 at ¶ 3 (attached
`hereto as Exhibit A).
`5 See, e.g., Id. at ¶ 4 (“Once [hackers] had control of a victim’s phone number, it was leveraged
`as a gateway to gain control of online accounts such as the victim’s email, cloud storage, and
`cryptocurrency exchange accounts. Sometimes this was achieved by requesting a password-reset
`link be sent via [text messaging] to the device control by [hackers]. Sometimes passwords were
`compromised by other means, and [the hacker’s] device was used to received two-factor
`authentication (‘2FA’) message sent via [text message] intended for the victim.”).
`– 7 –
`COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 9 of 58 Page ID #:9
`
`
`B. AT&T Allowed Unauthorized Access to Mr. Shapiro’s Account
`Four Times Over the Course of Approximately One Year.
`29. Between May 16, 2018 and May 18, 2019, AT&T employees accessed
`Mr. Shapiro’s AT&T wireless account without his authorization, obtained his
`confidential and proprietary personal information, and sold that information to
`third parties who then used it to steal from Mr. Shapiro, access his sensitive and
`confidential information, and threaten his family.
`30. On May 16, 2018 at approximately 1:35 PM ET, Mr. Shapiro’s AT&T
`SIM card was changed without his knowledge or authorization for the first time.
`31. At the time of the SIM swap, Mr. Shapiro was attending a conference
`in New York City. He noticed that his AT&T cell phone had lost service. Mr.
`Shapiro’s device was no longer connected to the AT&T wireless network, and he
`was no longer able to place or receive wireless calls.
`32. Mr. Shapiro immediately suspected that a SIM swap attack was
`underway and called AT&T in an attempt to secure his account. Mr. Shapiro
`informed the AT&T customer service agent that he suspected his account had been
`accessed without authorization and that he was in possession of large amounts of
`digital currency, which he feared could be at risk.
`33. During his call with AT&T, Mr. Shapiro repeatedly asked to speak to
`upper management or to be connected to the AT&T department responsible for
`security. AT&T records confirm Mr. Shapiro’s request to speak to the fraud
`department. Mr. Shapiro was (incorrectly) told that no such department existed,
`and his call was never escalated to management. Instead, he was put on lengthy
`holds and ultimately told to turn off his phone and go to an AT&T retail location
`for further assistance. His AT&T service was then suspended.
`Immediately upon ending the call with AT&T’s customer service, Mr.
`34.
`Shapiro went to an AT&T retail store in Manhattan, New York.6 Upon arriving,
`
`6 This AT&T retail store is located at 1330 Avenue of the Americas, New York, NY 10019.
`– 8 –
`COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 10 of 58 Page ID #:10
`
`
`Mr. Shapiro informed AT&T employees—including an AT&T sales representative,
`Juneice Arias—that he suspected unauthorized SIM swap activity on his account
`and once again advised that he had confidential information and digital currency
`that could be at risk.
`35. AT&T employees advised Mr. Shapiro to purchase a new wireless
`phone with a new SIM card from AT&T. On this advice, Mr. Shapiro purchased a
`new iPhone for several hundred dollars, as well as a new SIM card, in the AT&T
`retail store. AT&T employees then activated the new phone and the new SIM card
`and restored Mr. Shapiro’s service, thereby allowing Mr. Shapiro to regain control
`over his AT&T cell phone number.
`36. AT&T employees told Mr. Shapiro at that time that they had noted the
`SIM swap activity in his account and assured him that his SIM card would not be
`swapped again without his authorization. On this assurance, Mr. Shapiro decided
`not to close his AT&T account.
`37. Mere minutes later—while Mr. Shapiro was still in the AT&T retail
`store—Mr. Shapiro’s AT&T account was again improperly accessed, and the SIM
`card associated with his phone number was changed. Mr. Shapiro again lost
`control over his AT&T cell phone number.
`38. Mr. Shapiro immediately informed AT&T employees that AT&T had
`once again allowed an unauthorized SIM swap. Employees informed him that he
`needed to wait until it was his turn to be assisted.
`39. Mr. Shapiro waited for approximately 45 minutes inside the AT&T
`retail store for help from AT&T employees. In that time, third-party individuals
`were able to use their control over Mr. Shapiro’s AT&T cell phone number to
`access Mr. Shapiro’s personal and financial accounts and rob him of approximately
`$1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for
`the company’s help.
`
`
`
`– 9 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 11 of 58 Page ID #:11
`
`
`40. While third parties had control over Mr. Shapiro’s AT&T wireless
`number, they used that control to access and reset the passwords for Mr. Shapiro’s
`accounts on cryptocurrency exchange platforms, including KuCoin, Bittrex, Wax,
`Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex.
`Cryptocurrency exchanges are online platforms where different forms of
`cryptocurrency (e.g. bitcoin) are bought and sold.
`41. Before the May 2018 SIM swaps, Mr. Shapiro had raised funds in the
`form of cryptocurrency for a new business venture. This capital, as well as Mr.
`Shapiro’s personal funds, was accessed by the hackers utilizing their control over
`Mr. Shapiro’s AT&T wireless number, although the business funds were stored
`separately from Mr. Shapiro’s personal funds.
`42. By utilizing their control over Mr. Shapiro’s AT&T cell phone
`number—and the control of additional accounts (such as his email) secured
`through that number by utilizing two factor authentication—these third-party
`hackers were able to access Mr. Shapiro’s accounts on various cryptocurrency
`exchange platforms, including the accounts he controlled on behalf of his business
`venture. The hackers then transferred Mr. Shapiro’s currency from Mr. Shapiro’s
`accounts into accounts that they controlled.7 In all, they stole more than $1.8
`million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16,
`2018.
`
`43. On information and belief, the hackers also utilized their control over
`Mr. Shapiro’s AT&T wireless number to access and steal Mr. Shapiro’s currency
`
`
`7 See Affidavit for Search Warrant, Florida v. Ricky Handschumacher, No. 18-cf-4271-AXWS
`(6th Dis. Fl. July 25, 2018) (attached hereto as Exhibit B) at p. 8 (explaining how hackers—
`including hackers involved in robbing Mr. Shapiro—would “gain access to the victim’s email
`accounts and cryptocurrency exchanges…[and] use the victim’s funds to purchase
`cryptocurrencies and transfer it to a accounts [sic] or wallets the [hackers] controlled.”). Due to
`the nature of cryptocurrency, this process makes it extremely difficult to track and seize the
`location of stolen cryptocurrency.
`
`
`
`– 10 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 12 of 58 Page ID #:12
`
`
`on cryptocurrency exchanges (including Liqui.io, Livecoin, and Huobi) to which
`Mr. Shapiro was never able to regain access.
`44. The hackers also used their control over Mr. Shapiro’s AT&T cell
`phone number to access and change the passwords for approximately 15 of Mr.
`Shapiro’s online accounts, including four email addresses, his Evernote account (a
`web application for taking notes and making task lists), and his PayPal account (a
`digital payment platform).
`It took Mr. Shapiro approximately 14 hours to regain access to and
`45.
`restore control over his email and other personal accounts. By then, however, the
`damages was done: these accounts, and all of their contents, had already been
`compromised.
`46. Criminal investigations into the May 2018 breaches to Mr. Shapiro’s
`AT&T account and the resulting theft revealed that at least two AT&T employees,
`acting in the scope of their employment, accessed and permitted others to access
`Mr. Shapiro’s AT&T account and the confidential information contained therein.8
`As federal authorities describe, “These employees, while not necessarily knowing
`the entirety of [the hackers] plans, were aware that they were assisting in the theft
`of identities of subscribers to their employer’s services.”9
`47. The two AT&T employees involved, Robert Jack and Jarratt White,10
`reside in Arizona. AT&T confirmed their employment,11 their involvement in the
`
`
`8 See Criminal Complaint and Affidavit, United States of America v. Jarratt White, et al., No.
`2:19-mj-30227-DUTY (E.D. Mich. Filed May 2, 2019) (hereafter, “White Affidavit”), ECF No.
`1 (attached hereto as Exhibit C).
`9 Id. at ¶ 8.
`10 Id. at ¶¶ 10-15 (describing White’s involvement in the unauthorized access of Mr. Shapiro’s
`AT&T account and the resulting theft) and ¶¶ 16-19 (describing Jack’s involvement).
`11 Id. at ¶ 15 (“AT&T confirmed that WHITE was a contract employee from Tucson, Arizona.”)
`and ¶ 16 (“Based on records provided from AT&T, ROBERT JACK, a second AT&T contract
`employee from Tucson, Arizona… .”)
`
`
`
`
`– 11 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 13 of 58 Page ID #:13
`
`
`unauthorized access of Mr. Shapiro’s account,12 and their involvement in the two
`SIM swaps that occurred on May 16, 2018.
`48. Specifically, criminal investigations reveal that a third-party (an
`individual identified by authorities as “JD”) paid Jack and White to change the
`SIM card associated with Mr. Shapiro’s AT&T account from the SIM card in Mr.
`Shapiro’s phone to a SIM card in a phone controlled by JD and others.13
`In order to effectuate the swaps, Jack and/or White used their access
`49.
`to Mr. Shapiro’s account—access gained through their AT&T employment—to
`view his confidential AT&T account information and effectuate the SIM swaps
`without Mr. Shapiro’s knowledge or consent.
`JD paid White $4,300 in exchange for White using his position,
`50.
`knowledge, and authority as an AT&T employee to conduct SIM swaps, including
`the May 16, 2018 SIM swaps of Mr. Shapiro.14 White then paid Jack $585.25 for
`his involvement in the swaps.15
`51. On information and belief, AT&T data shows that White and Jack
`were prolific SIM swappers. White conducted 29 unauthorized SIM swaps in May
`2018,16 while Jack conducted 12 unauthorized swaps that same month.17
`52. Criminal investigations have also identified the AT&T employees’
`third-party co-conspirators and revealed additional information about the
`employees’ involvements in the scheme.
`53. For example, police officers located documents on the computer of
`one co-conspirator hacker (identified as “CS1”) labeled “ATT Plug.”18 In the SIM
`
`
`12 Id. at ¶¶ 11, 15-16.
`13 Id. at ¶¶ 11, 16-19.
`14 Id. at ¶¶ 11-12.
`15 Id. at ¶ 19.
`16 Id. at ¶ 15.
`17 Id. at ¶ 16.
`18 Ex. B at p. 7.
`
`
`
`
`– 12 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 14 of 58 Page ID #:14
`
`
`swap context, a “plug” is a telecommunication carrier employee who uses their
`knowledge and access to assist in SIM swaps.
`Investigators were also able to obtain a log of a chat conversation held
`54.
`online between the third-party co-conspirator hackers, wherein they plotted and
`executed the theft of Mr. Shapiro’s currency.19
`55. The chat begins with the group discussing working with an AT&T
`employee to access Mr. Shapiro’s AT&T wireless account and swap his SIM card.
`At 1:19 PM on May 16, 2018, one member of the group asks, “What is plug
`doing[?]”20 On information and belief, this refers to the group’s AT&T plug:
`White or Jack. The same member requests at 1:31 that another member “message
`[the plug] and tell him hurry up[.]”21
`56. Beginning at 1:38, a member informs the group that the plug is “doing
`it [right now]” and then: “It’s activated.”22 On information and belief, this refers to
`Mr. Shapiro’s AT&T account being activated on a phone utilized by the hackers –
`the result of a successful SIM swap effectuated by one or more of the involved
`AT&T employees.
` Once the SIM swap was complete, the group began using their
`57.
`control over Mr. Shapiro’s AT&T wireless number to access his personal and
`financial accounts. At 1:58 and 2:10 PM, the chat log shows the group using Mr.
`Shapiro’s number (which they share over the chat) to access and reset the
`passwords for his email accounts.23
`58. At 2:18 PM, the chat log shows the group accessing Mr. Shapiro’s
`Bittrex account and withdrawing his digital currency.24
`
`
`19 Id. at Attachment A.
`20 Id. at Attachment A, pg. 1.
`21 Id. at Attachment A, pg. 2.
`22 Id. at Attachment A, pgs. 2-5.
`23 Id. at Attachment A, pgs. 5-6
`24 Id. at Attachment A, pg. 6.
`
`
`
`– 13 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 15 of 58 Page ID #:15
`
`
`59. The individuals would not have been able to access these accounts but
`for their utilization of Mr. Shapiro’s cell phone number, control of which was
`obtained through the use of AT&T’s employees and systems.
`60. Throughout the chat, the group refers to an additional male
`individual—the AT&T plug—helping them access Mr. Shapiro’s account. At 3:11
`PM, one member brags, “my ATT (AT&T) guy… Is a supervisor… He ain’t ever
`getting fired.”25
`61. The chat also reflects Mr. Shapiro’s attempt to regain control of his
`AT&T account. At 3:39, one member warns that Mr. Shapiro is “trying to get
`number back.”26 Another—referring to the AT&T co-conspirator—ask whether he
`wants “[his] guy to swap it back?”27 At the end of the chat, a group member brags
`that they “made 1.3 [million]” and they begin plotting about how to route the
`stolen cryptocurrency through various accounts and currencies in order to cover
`their trail.28 They also brag about plans to “buy some Gucci” or a “dream car”
`with the money they stole from Mr. Shapiro.29
`62. As these hackers and AT&T employees stole Mr. Shapiro’s life
`savings and made plans to spend it on luxury goods, Mr. Shapiro was still standing
`in the AT&T retail store in Manhattan, NY, asking AT&T for help. He was told to
`wait as his accounts were drained and his personal information compromised.
`63. After the May 2018 SIM swaps, AT&T employees told Mr. Shapiro
`that his account would be safe from future attacks because they had put a note on
`his account that would prevent any future SIM swaps.
`
`
`25 Id. at Attachment A, pg. 7 (emphasis added).
`26 Id. at Attachment A. pg. 8.
`27 Id.
`28 Id. at Attachment A. pg. 10.
`29 Id. at Attachment A. pg. 9.
`
`
`
`
`– 14 –
`COMPLAINT
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 16 of 58 Page ID #:16
`
`
`64. Mr. Shapiro also changed his AT&T account passcodes on the advice
`of AT&T employees. AT&T informs its customers that these account passcodes—
`which are different than account sign-in passwords or the passcodes used to access
`a wireless device—are used to protect their wireless accounts and may be required
`when a customer manages their AT&T account online or in an AT&T store.30
`AT&T employees represented to Mr. Shapiro that this passcode would not be
`shared with anyone, and would protect his account from future unauthorized SIM
`swaps. Mr. Shapiro decided not to close his AT&T account in reliance on these
`assurances.
`65. Mr. Shapiro’s trust in AT&T was misplaced. On November 1, 2018,
`Mr. Shapiro again noticed that his cell phone had lost service, and suspected a SIM
`swap. Shortly thereafter, he received an alert that someone had accessed and
`changed the password to—at minimum—his Google email accounts. This also
`caused all information stored in this account—including sensitive and confidential
`personal, financial, and legal information—to be compromised.
`66. Mr. Shapiro contacted AT&T and confirmed that he had indeed been
`SIM swapped a third time. Again, AT&T employees represented to Mr. Shapiro
`that they had taken steps to prevent any further SIM swaps on his account.
`67. On May 14, 2019, Mr. Shapiro received a letter from AT&T’s
`Director of Compliance, Nena M. Romano, informing him that “an employee of
`one of [AT&T’s] service providers accessed [Mr. Shapiro’s] Customer Proprietary
`Network Information [CPNI] without authorization.”31 The letter did not indicate
`which of the three prior SIM swap attacks it concerned. It stated that AT&T had
`“taken appropriate action” regarding the AT&T employee involved and had
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket