`
`
`
`
`
`
`
`PIERCE BAINBRIDGE BECK PRICE
`& HECHT LLP
`Thomas D. Warren (State Bar No. 160921)
`twarren@piercebainbridge.com
`Andrew Calderón (State Bar No. 316673)
`acalderon@piercebainbridge.com
`355 S. Grand Avenue, 44th Floor
`Los Angeles, CA 90071
`Telephone: (213) 262-9333
`Facsimile: (213) 279-2008
`
`Dwayne D. Sam (pro hac
`application forthcoming)
`dsam@piercebainbridge.com
`600 Pennsylvania Avenue NW
`South Tower, Suite 700
`Washington, DC 20004
`Telephone: (202) 843-8342
`Facsimile: (646) 968-4125
`
`Counsel for Plaintiff Seth Shapiro
`
`
`
`THE UNITED STATES DISTRICT COURT
`FOR THE CENTRAL DISTRICT OF CALIFORNIA
`
`
`
`
`SETH SHAPIRO,
`Plaintiff,
`
`v.
`AT&T MOBILITY, LLC,
`Defendant.
`
`
`
`
`
`
` Case No. 2:19-cv-8972
`
`CIVIL COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`
`
`
`
`
`
`
`
`
`
`
`
`CIVIL COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 2 of 58 Page ID #:2
`
`
`I. NATURE OF THE ACTION
`This action arises out of AT&T’s repeated failure to protect its
`1.
`wireless cell service subscriber—Seth Shapiro—from its own employees, resulting
`in massive and ongoing violations of Mr. Shapiro’s privacy, the compromise of his
`highly sensitive personal and financial information, and the theft of more than $1.8
`million.
`AT&T is the country’s largest wireless service provider. Tens of
`2.
`millions of subscribers entrust AT&T with access to their confidential information,
`including information that can serve as a key to unlock subscribers’ highly
`sensitive personal and financial information.
`Recognizing the harms that arise when wireless subscribers’ personal
`3.
`information is accessed, disclosed, or used without their consent, federal and state
`laws require AT&T to protect this sensitive information.
`AT&T also recognizes the sensitivity of this data, and promises its
`4.
`subscribers that it “will protect [customers’] privacy and keep [their] personal
`information safe” and that it “will not sell [customers’] personal information to
`anyone, for any purpose. Period.” AT&T repeatedly broke these promises.
`In an egregious violation of the law and its own promises, and despite
`5.
`advertising itself as a leader in technological development and as a cyber security-
`savvy company, AT&T repeatedly failed to protect Mr. Shapiro’s account and the
`sensitive data it contained. AT&T failed to implement sufficient data security
`systems and procedures and failed to supervise its own personnel, instead standing
`by as its employees used their position at the company to gain unauthorized access
`to Mr. Shapiro’s account in order to rob, extort, and threaten him in exchange for
`money.
`AT&T’s actions and conduct were a substantial factor in causing
`6.
`significant financial and emotional harm to Mr. Shapiro and his family. But for
`
`
`
`– 1 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 3 of 58 Page ID #:3
`
`
`AT&T employees’ involvement in a conspiracy to rob Mr. Shapiro, and AT&T’s
`failure to protect Mr. Shapiro from such harm through adequate security and
`oversight systems and procedures, Mr. Shapiro would not have had his personal
`privacy repeatedly violated and would not have been a victim of SIM swap theft.
`7. Mr. Shapiro brings this action to hold AT&T accountable for its
`violations of federal and state law, and to recover for the grave financial and
`personal harm suffered by Mr. Shapiro and his family as a direct result of AT&T’s
`acts and omissions, as detailed herein.
`II. THE PARTIES
`Plaintiff Seth Shapiro is, and at all relevant times was, a resident of
`8.
`California. Mr. Shapiro currently resides in Torrance, CA, with his wife and two
`young children.
`9. Mr. Shapiro is a two-time Emmy Award-winning media and
`technology expert, author, and adjunct professor at the University of Southern
`California School of Cinematic Arts. He regularly advises Fortune 500 companies
`on business development in media and technology. Mr. Shapiro was also an early
`investor in digital currencies.
`10. Mr. Shapiro is a former AT&T wireless customer. He purchased a
`wireless cell phone plan from AT&T in Los Angeles, California in approximately
`2006 for personal use and was an active, paying AT&T wireless subscriber at all
`times relevant to the allegations in this Complaint.
`11. Defendant AT&T Mobility, LLC (hereinafter, “AT&T”) is a Delaware
`limited liability corporation with its principal office or place of business in
`Brookhaven, Georgia. AT&T “provides nationwide wireless services to consumers
`and wholesale and resale wireless subscribers located in the United States or U.S.
`territories” and transacts or has transacted business in this District and throughout
`the United States. It is the second largest wireless carrier in the United States, with
`
`
`
`– 2 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 4 of 58 Page ID #:4
`
`
`more than 153 million subscribers, earning $71 billion in total operating revenues
`in 2017 and $71 billion in 2018. As of December 2017, AT&T had 1,470 retail
`locations in California.1
`12. AT&T provides wireless service to subscribers in the United States.
`AT&T is a “common carrier” governed by the Federal Communications Act
`(“FCA”), 47 U.S.C. § 151 et seq. AT&T is regulated by the Federal
`Communications Commission (“FCC”) for its acts and practices, including those
`occurring in this District.
`13. AT&T Inc., AT&T’s parent company, acknowledged in its 2018
`Annual Report that its “profits and cash flow are largely driven by [its] Mobility
`business” and “nearly half of [the] company’s EBITDA (earnings before interest,
`taxes, depreciation and amortization) come from Mobility.”2
`14. Despite the importance of its mobility business, instead of focusing on
`providing ramping up security for their customers, AT&T Inc. has gone on a
`buying spree costing over $150 billion, acquiring: Bell South (including Cingular
`Wireless and Yellowpages.com), Dobson Communications, Edge Wireless,
`Cellular One, Centennial, Wayport, Qualcomm Spectrum, Leap Wireless, DirecTV,
`and Iusacell and NII Holdings (now AT&T Mexico). During the same period,
`AT&T’s mobile phone business was rated as the worst among major providers.
`Consumer Reports named it the “worst carrier” in 2010, and the next year, J.D.
`Power found AT&T’s network the least reliable in the country—a dubious
`achievement that it also earned in prior years. Little wonder that its customers
`were the least happy of subscribers of the Big Four carriers according to the
`American Consumer Index. In the meantime, AT&T Inc. has purchased for a total
`equity value of $85.4 billion Time Warner Inc.—the owner of HBO, Warner Bros,
`
`
`1 “About Us,” AT&T, available at https://engage.att.com/california/about-us/. All URLs in this
`complaint were last accessed on October 15, 2019.
`2 Id.
`
`
`
`– 3 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 5 of 58 Page ID #:5
`
`
`CNN, Turner Broadcasting, Cartoon Network, Turner Classic Movies, TBS, TNT
`and Turner Sports.
`JURISDICTION AND VENUE
`III.
`15. This Court has jurisdiction over this matter under 28 U.S.C. § 1331
`because this case arises under federal question jurisdiction under the Federal
`Communications Act (“FCA”). The Court has supplemental jurisdiction under 28
`U.S.C. § 1367 over the state law claims because the claims are derived from a
`common nucleus of operative facts. The Court also has jurisdiction over this
`action pursuant to 28 U.S.C. § 1332 because Mr. Shapiro is a citizen of a different
`state than AT&T.
`16. This Court has personal jurisdiction over AT&T because AT&T
`purposefully directs its conduct at California, transacts substantial business in
`California (including in this District), has substantial aggregate contacts with
`California (including in this District), engaged and is engaging in conduct that has
`and had a direct, substantial, reasonably foreseeable, and intended effect of causing
`injury to persons in California (including in this District), and purposely avails
`itself of the laws of California. AT&T had more than 33,000 employees in
`California as of 2017, and 1,470 retail locations in the state.3 Mr. Shapiro
`purchased his AT&T wireless plan in California, visited AT&T retail locations in
`California, and was injured in California by the acts and omissions alleged herein.
`In accordance with 28 U.S.C. § 1391, venue is proper in this District
`17.
`because a substantial part of the conduct giving rise to Mr. Shapiro’s claims
`occurred in this District and Defendant transacts business in this District. Mr.
`Shapiro purchased his AT&T wireless plan in this District and was harmed in this
`District, where he resides, by AT&T’s acts and omissions, as detailed herein.
`IV. ALLEGATIONS APPLICABLE TO ALL COUNTS
`
`
`3 “About Us,” AT&T California, supra at 1.
`– 4 –
`COMPLAINT
`
`
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 6 of 58 Page ID #:6
`
`
`18. As a telecommunications carrier, AT&T is entrusted with the sensitive
`wireless account information and personal data of millions of Americans, including
`Mr. Shapiro’s confidential and sensitive personal and account information.
`19. Despite its representations to its customers and its obligations under
`the law, AT&T has failed to protect Mr. Shapiro’s confidential information. On at
`least four occasions between May 16, 2018 and May 18, 2019, AT&T employees
`obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his
`confidential and proprietary personal information, and transferred control over Mr.
`Shapiro’s AT&T wireless number from Mr. Shapiro’s phone to a phone controlled
`by third-party hackers in exchange for money. The hackers then utilized their
`control over Mr. Shapiro’s AT&T wireless number—including control secured
`through cooperation with AT&T employees—to access his personal and digital
`finance accounts and steal more than $1.8 million from Mr. Shapiro.
`20. This type of telecommunications account hacking behavior is known
`as “SIM swapping.”
`SIM Swapping is a Type of Identity Theft Involving the Transfer
`A.
`of a Mobile Phone Number.
`21. On four occasions in 2018 and 2019, Mr. Shapiro was the target of
`“SIM swapping.”
`“SIM swapping” refers to a relatively simple scheme, wherein third
`22.
`parties take control of a victim’s wireless phone number. The hackers then use that
`phone number as a key to access the victim’s digital accounts, such as email, file
`storage, and financial accounts.
`23. Most cell phones, including the iPhone owned by Mr. Shapiro at the
`time of his SIM swaps, have internal SIM (“subscriber identity module”) cards. A
`SIM card is a small, removable chip that allows a cell phone to communicate with
`the wireless carrier and the carrier to know what subscriber account is associated
`with that phone. The connection between the phone and the SIM card is made
`– 5 –
`COMPLAINT
`
`
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 7 of 58 Page ID #:7
`
`
`through the carrier, which associates each SIM card with the physical phone’s
`IMEI (“international mobile equipment identity”), which is akin to the phone’s
`serial number. Without a working SIM card and effective SIM connection, a phone
`typically cannot send or receive calls or text messages over the carrier network.
`SIM cards can also store a limited amount of account data, including contacts, text
`messages, and carrier information, and that data can help identify the subscriber.
`24. The SIM card associated with a wireless phone can be changed. If a
`carrier customer buys a new phone that requires a different sized SIM card, for
`example, the customer can associate his or her account with a new SIM card and
`the new phone’s IMEI by working with their cell phone carrier to effectuate the
`change. This allows carrier customers to move their wireless number from one cell
`phone to another and to continue accessing the carrier network when they switch
`cell phones. For a SIM card change to be effective, the carrier must authenticate
`the request and actualize the change. AT&T allows its employees to conduct SIM
`card changes for its customers remotely or in its retail stores.
`25. A SIM swap refers to an unauthorized and illegitimate SIM card
`change. During a SIM swap attack, the SIM card associated with the victim’s
`wireless account is switched from the victim’s phone to a phone controlled by a
`third party. This effectively moves the victim’s wireless phone—including any
`incoming data, texts, and phone calls associated with the victim’s phone—from
`their phone to a phone controlled by the third party (also referred to herein as a
`“hacker”). The hacker’s phone then becomes the phone associated with the
`victim’s carrier account, and the hacker receives all of the text messages and phone
`calls intended for the victim.4 Meanwhile, the victim’s phone loses its connection
`to the carrier network.
`
`4 As described by federal authorities in prosecuting SIM swap cases, SIM swapping enables
`hackers to “gain control of a victim’s mobile phone number by linking that number to a
`subscriber identity module (‘SIM’) card controlled by [the hackers]—resulting in the victim’s
`
`
`
`
`– 6 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 8 of 58 Page ID #:8
`
`
`26. Once hackers have control over the victim’s phone number, they can
`use that control to access the victim’s personal online accounts, such as email and
`banking accounts, through exploiting password reset links sent via text message to
`the now-hacker-controlled-phone or the two-factor authentication processes
`associated with the victim’s digital accounts. Two-factor authentication allows
`digital accounts to be accessed without a password, or allows the account password
`to be changed. One common form of two-factor authentication is through text
`messaging. Rather than enter a password, the hacker requests that a password reset
`be sent to the mobile phone number associated with the account. Because the
`hacker now controls that phone number, the reset code is sent to them. The hacker
`can then log into, and change the password for, the victim’s account, allowing
`them to access the contents of the account.5
`27. The involvement of a SIM swap victim’s wireless carrier is critical to
`an effective SIM swap. In order for a SIM swap to occur and for a SIM swap
`victim to be at any risk, the carrier must receive a request to change a victim’s SIM
`card and effectuate the transfer of the victim’s phone number from one SIM card to
`another.
`In Mr. Shapiro’s case, not only did AT&T employees access his
`28.
`account and authorize changes to that account without Mr. Shapiro’s consent, but
`its employees actively profited from this unauthorized access by knowingly giving
`control over his phone number to hackers for the purposes of robbing him.
`
`
`phone calls and short message service (‘SMS’) messages being routed to a device controlled by
`[a hacker].” United States of America v. Conor Freeman, et al., No. 2:19-cr-20246-DPH-APP
`(E.D. Mich. Filed Apr. 18, 2019) (hereafter, “Freeman Indictment”), ECF. No. 1 at ¶ 3 (attached
`hereto as Exhibit A).
`5 See, e.g., Id. at ¶ 4 (“Once [hackers] had control of a victim’s phone number, it was leveraged
`as a gateway to gain control of online accounts such as the victim’s email, cloud storage, and
`cryptocurrency exchange accounts. Sometimes this was achieved by requesting a password-reset
`link be sent via [text messaging] to the device control by [hackers]. Sometimes passwords were
`compromised by other means, and [the hacker’s] device was used to received two-factor
`authentication (‘2FA’) message sent via [text message] intended for the victim.”).
`– 7 –
`COMPLAINT
`
`
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 9 of 58 Page ID #:9
`
`
`B. AT&T Allowed Unauthorized Access to Mr. Shapiro’s Account
`Four Times Over the Course of Approximately One Year.
`29. Between May 16, 2018 and May 18, 2019, AT&T employees accessed
`Mr. Shapiro’s AT&T wireless account without his authorization, obtained his
`confidential and proprietary personal information, and sold that information to
`third parties who then used it to steal from Mr. Shapiro, access his sensitive and
`confidential information, and threaten his family.
`30. On May 16, 2018 at approximately 1:35 PM ET, Mr. Shapiro’s AT&T
`SIM card was changed without his knowledge or authorization for the first time.
`31. At the time of the SIM swap, Mr. Shapiro was attending a conference
`in New York City. He noticed that his AT&T cell phone had lost service. Mr.
`Shapiro’s device was no longer connected to the AT&T wireless network, and he
`was no longer able to place or receive wireless calls.
`32. Mr. Shapiro immediately suspected that a SIM swap attack was
`underway and called AT&T in an attempt to secure his account. Mr. Shapiro
`informed the AT&T customer service agent that he suspected his account had been
`accessed without authorization and that he was in possession of large amounts of
`digital currency, which he feared could be at risk.
`33. During his call with AT&T, Mr. Shapiro repeatedly asked to speak to
`upper management or to be connected to the AT&T department responsible for
`security. AT&T records confirm Mr. Shapiro’s request to speak to the fraud
`department. Mr. Shapiro was (incorrectly) told that no such department existed,
`and his call was never escalated to management. Instead, he was put on lengthy
`holds and ultimately told to turn off his phone and go to an AT&T retail location
`for further assistance. His AT&T service was then suspended.
`Immediately upon ending the call with AT&T’s customer service, Mr.
`34.
`Shapiro went to an AT&T retail store in Manhattan, New York.6 Upon arriving,
`
`6 This AT&T retail store is located at 1330 Avenue of the Americas, New York, NY 10019.
`– 8 –
`COMPLAINT
`
`
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 10 of 58 Page ID #:10
`
`
`Mr. Shapiro informed AT&T employees—including an AT&T sales representative,
`Juneice Arias—that he suspected unauthorized SIM swap activity on his account
`and once again advised that he had confidential information and digital currency
`that could be at risk.
`35. AT&T employees advised Mr. Shapiro to purchase a new wireless
`phone with a new SIM card from AT&T. On this advice, Mr. Shapiro purchased a
`new iPhone for several hundred dollars, as well as a new SIM card, in the AT&T
`retail store. AT&T employees then activated the new phone and the new SIM card
`and restored Mr. Shapiro’s service, thereby allowing Mr. Shapiro to regain control
`over his AT&T cell phone number.
`36. AT&T employees told Mr. Shapiro at that time that they had noted the
`SIM swap activity in his account and assured him that his SIM card would not be
`swapped again without his authorization. On this assurance, Mr. Shapiro decided
`not to close his AT&T account.
`37. Mere minutes later—while Mr. Shapiro was still in the AT&T retail
`store—Mr. Shapiro’s AT&T account was again improperly accessed, and the SIM
`card associated with his phone number was changed. Mr. Shapiro again lost
`control over his AT&T cell phone number.
`38. Mr. Shapiro immediately informed AT&T employees that AT&T had
`once again allowed an unauthorized SIM swap. Employees informed him that he
`needed to wait until it was his turn to be assisted.
`39. Mr. Shapiro waited for approximately 45 minutes inside the AT&T
`retail store for help from AT&T employees. In that time, third-party individuals
`were able to use their control over Mr. Shapiro’s AT&T cell phone number to
`access Mr. Shapiro’s personal and financial accounts and rob him of approximately
`$1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for
`the company’s help.
`
`
`
`– 9 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 11 of 58 Page ID #:11
`
`
`40. While third parties had control over Mr. Shapiro’s AT&T wireless
`number, they used that control to access and reset the passwords for Mr. Shapiro’s
`accounts on cryptocurrency exchange platforms, including KuCoin, Bittrex, Wax,
`Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex.
`Cryptocurrency exchanges are online platforms where different forms of
`cryptocurrency (e.g. bitcoin) are bought and sold.
`41. Before the May 2018 SIM swaps, Mr. Shapiro had raised funds in the
`form of cryptocurrency for a new business venture. This capital, as well as Mr.
`Shapiro’s personal funds, was accessed by the hackers utilizing their control over
`Mr. Shapiro’s AT&T wireless number, although the business funds were stored
`separately from Mr. Shapiro’s personal funds.
`42. By utilizing their control over Mr. Shapiro’s AT&T cell phone
`number—and the control of additional accounts (such as his email) secured
`through that number by utilizing two factor authentication—these third-party
`hackers were able to access Mr. Shapiro’s accounts on various cryptocurrency
`exchange platforms, including the accounts he controlled on behalf of his business
`venture. The hackers then transferred Mr. Shapiro’s currency from Mr. Shapiro’s
`accounts into accounts that they controlled.7 In all, they stole more than $1.8
`million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16,
`2018.
`
`43. On information and belief, the hackers also utilized their control over
`Mr. Shapiro’s AT&T wireless number to access and steal Mr. Shapiro’s currency
`
`
`7 See Affidavit for Search Warrant, Florida v. Ricky Handschumacher, No. 18-cf-4271-AXWS
`(6th Dis. Fl. July 25, 2018) (attached hereto as Exhibit B) at p. 8 (explaining how hackers—
`including hackers involved in robbing Mr. Shapiro—would “gain access to the victim’s email
`accounts and cryptocurrency exchanges…[and] use the victim’s funds to purchase
`cryptocurrencies and transfer it to a accounts [sic] or wallets the [hackers] controlled.”). Due to
`the nature of cryptocurrency, this process makes it extremely difficult to track and seize the
`location of stolen cryptocurrency.
`
`
`
`– 10 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 12 of 58 Page ID #:12
`
`
`on cryptocurrency exchanges (including Liqui.io, Livecoin, and Huobi) to which
`Mr. Shapiro was never able to regain access.
`44. The hackers also used their control over Mr. Shapiro’s AT&T cell
`phone number to access and change the passwords for approximately 15 of Mr.
`Shapiro’s online accounts, including four email addresses, his Evernote account (a
`web application for taking notes and making task lists), and his PayPal account (a
`digital payment platform).
`It took Mr. Shapiro approximately 14 hours to regain access to and
`45.
`restore control over his email and other personal accounts. By then, however, the
`damages was done: these accounts, and all of their contents, had already been
`compromised.
`46. Criminal investigations into the May 2018 breaches to Mr. Shapiro’s
`AT&T account and the resulting theft revealed that at least two AT&T employees,
`acting in the scope of their employment, accessed and permitted others to access
`Mr. Shapiro’s AT&T account and the confidential information contained therein.8
`As federal authorities describe, “These employees, while not necessarily knowing
`the entirety of [the hackers] plans, were aware that they were assisting in the theft
`of identities of subscribers to their employer’s services.”9
`47. The two AT&T employees involved, Robert Jack and Jarratt White,10
`reside in Arizona. AT&T confirmed their employment,11 their involvement in the
`
`
`8 See Criminal Complaint and Affidavit, United States of America v. Jarratt White, et al., No.
`2:19-mj-30227-DUTY (E.D. Mich. Filed May 2, 2019) (hereafter, “White Affidavit”), ECF No.
`1 (attached hereto as Exhibit C).
`9 Id. at ¶ 8.
`10 Id. at ¶¶ 10-15 (describing White’s involvement in the unauthorized access of Mr. Shapiro’s
`AT&T account and the resulting theft) and ¶¶ 16-19 (describing Jack’s involvement).
`11 Id. at ¶ 15 (“AT&T confirmed that WHITE was a contract employee from Tucson, Arizona.”)
`and ¶ 16 (“Based on records provided from AT&T, ROBERT JACK, a second AT&T contract
`employee from Tucson, Arizona… .”)
`
`
`
`
`– 11 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 13 of 58 Page ID #:13
`
`
`unauthorized access of Mr. Shapiro’s account,12 and their involvement in the two
`SIM swaps that occurred on May 16, 2018.
`48. Specifically, criminal investigations reveal that a third-party (an
`individual identified by authorities as “JD”) paid Jack and White to change the
`SIM card associated with Mr. Shapiro’s AT&T account from the SIM card in Mr.
`Shapiro’s phone to a SIM card in a phone controlled by JD and others.13
`In order to effectuate the swaps, Jack and/or White used their access
`49.
`to Mr. Shapiro’s account—access gained through their AT&T employment—to
`view his confidential AT&T account information and effectuate the SIM swaps
`without Mr. Shapiro’s knowledge or consent.
`JD paid White $4,300 in exchange for White using his position,
`50.
`knowledge, and authority as an AT&T employee to conduct SIM swaps, including
`the May 16, 2018 SIM swaps of Mr. Shapiro.14 White then paid Jack $585.25 for
`his involvement in the swaps.15
`51. On information and belief, AT&T data shows that White and Jack
`were prolific SIM swappers. White conducted 29 unauthorized SIM swaps in May
`2018,16 while Jack conducted 12 unauthorized swaps that same month.17
`52. Criminal investigations have also identified the AT&T employees’
`third-party co-conspirators and revealed additional information about the
`employees’ involvements in the scheme.
`53. For example, police officers located documents on the computer of
`one co-conspirator hacker (identified as “CS1”) labeled “ATT Plug.”18 In the SIM
`
`
`12 Id. at ¶¶ 11, 15-16.
`13 Id. at ¶¶ 11, 16-19.
`14 Id. at ¶¶ 11-12.
`15 Id. at ¶ 19.
`16 Id. at ¶ 15.
`17 Id. at ¶ 16.
`18 Ex. B at p. 7.
`
`
`
`
`– 12 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 14 of 58 Page ID #:14
`
`
`swap context, a “plug” is a telecommunication carrier employee who uses their
`knowledge and access to assist in SIM swaps.
`Investigators were also able to obtain a log of a chat conversation held
`54.
`online between the third-party co-conspirator hackers, wherein they plotted and
`executed the theft of Mr. Shapiro’s currency.19
`55. The chat begins with the group discussing working with an AT&T
`employee to access Mr. Shapiro’s AT&T wireless account and swap his SIM card.
`At 1:19 PM on May 16, 2018, one member of the group asks, “What is plug
`doing[?]”20 On information and belief, this refers to the group’s AT&T plug:
`White or Jack. The same member requests at 1:31 that another member “message
`[the plug] and tell him hurry up[.]”21
`56. Beginning at 1:38, a member informs the group that the plug is “doing
`it [right now]” and then: “It’s activated.”22 On information and belief, this refers to
`Mr. Shapiro’s AT&T account being activated on a phone utilized by the hackers –
`the result of a successful SIM swap effectuated by one or more of the involved
`AT&T employees.
` Once the SIM swap was complete, the group began using their
`57.
`control over Mr. Shapiro’s AT&T wireless number to access his personal and
`financial accounts. At 1:58 and 2:10 PM, the chat log shows the group using Mr.
`Shapiro’s number (which they share over the chat) to access and reset the
`passwords for his email accounts.23
`58. At 2:18 PM, the chat log shows the group accessing Mr. Shapiro’s
`Bittrex account and withdrawing his digital currency.24
`
`
`19 Id. at Attachment A.
`20 Id. at Attachment A, pg. 1.
`21 Id. at Attachment A, pg. 2.
`22 Id. at Attachment A, pgs. 2-5.
`23 Id. at Attachment A, pgs. 5-6
`24 Id. at Attachment A, pg. 6.
`
`
`
`– 13 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 15 of 58 Page ID #:15
`
`
`59. The individuals would not have been able to access these accounts but
`for their utilization of Mr. Shapiro’s cell phone number, control of which was
`obtained through the use of AT&T’s employees and systems.
`60. Throughout the chat, the group refers to an additional male
`individual—the AT&T plug—helping them access Mr. Shapiro’s account. At 3:11
`PM, one member brags, “my ATT (AT&T) guy… Is a supervisor… He ain’t ever
`getting fired.”25
`61. The chat also reflects Mr. Shapiro’s attempt to regain control of his
`AT&T account. At 3:39, one member warns that Mr. Shapiro is “trying to get
`number back.”26 Another—referring to the AT&T co-conspirator—ask whether he
`wants “[his] guy to swap it back?”27 At the end of the chat, a group member brags
`that they “made 1.3 [million]” and they begin plotting about how to route the
`stolen cryptocurrency through various accounts and currencies in order to cover
`their trail.28 They also brag about plans to “buy some Gucci” or a “dream car”
`with the money they stole from Mr. Shapiro.29
`62. As these hackers and AT&T employees stole Mr. Shapiro’s life
`savings and made plans to spend it on luxury goods, Mr. Shapiro was still standing
`in the AT&T retail store in Manhattan, NY, asking AT&T for help. He was told to
`wait as his accounts were drained and his personal information compromised.
`63. After the May 2018 SIM swaps, AT&T employees told Mr. Shapiro
`that his account would be safe from future attacks because they had put a note on
`his account that would prevent any future SIM swaps.
`
`
`25 Id. at Attachment A, pg. 7 (emphasis added).
`26 Id. at Attachment A. pg. 8.
`27 Id.
`28 Id. at Attachment A. pg. 10.
`29 Id. at Attachment A. pg. 9.
`
`
`
`
`– 14 –
`COMPLAINT
`
`
`
`
`
`Case 2:19-cv-08972-CBM-FFM Document 1 Filed 10/17/19 Page 16 of 58 Page ID #:16
`
`
`64. Mr. Shapiro also changed his AT&T account passcodes on the advice
`of AT&T employees. AT&T informs its customers that these account passcodes—
`which are different than account sign-in passwords or the passcodes used to access
`a wireless device—are used to protect their wireless accounts and may be required
`when a customer manages their AT&T account online or in an AT&T store.30
`AT&T employees represented to Mr. Shapiro that this passcode would not be
`shared with anyone, and would protect his account from future unauthorized SIM
`swaps. Mr. Shapiro decided not to close his AT&T account in reliance on these
`assurances.
`65. Mr. Shapiro’s trust in AT&T was misplaced. On November 1, 2018,
`Mr. Shapiro again noticed that his cell phone had lost service, and suspected a SIM
`swap. Shortly thereafter, he received an alert that someone had accessed and
`changed the password to—at minimum—his Google email accounts. This also
`caused all information stored in this account—including sensitive and confidential
`personal, financial, and legal information—to be compromised.
`66. Mr. Shapiro contacted AT&T and confirmed that he had indeed been
`SIM swapped a third time. Again, AT&T employees represented to Mr. Shapiro
`that they had taken steps to prevent any further SIM swaps on his account.
`67. On May 14, 2019, Mr. Shapiro received a letter from AT&T’s
`Director of Compliance, Nena M. Romano, informing him that “an employee of
`one of [AT&T’s] service providers accessed [Mr. Shapiro’s] Customer Proprietary
`Network Information [CPNI] without authorization.”31 The letter did not indicate
`which of the three prior SIM swap attacks it concerned. It stated that AT&T had
`“taken appropriate action” regarding the AT&T employee involved and had
`
`