Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 1 of 68 Page ID #:1148
`
`
`
`CHRISTOPHER GRIVAKES, State Bar No. 127994
`cg@agzlaw.com
`DAMION ROBINSON, State Bar No. 262573
`dr@aglzw.com
`AFFELD GRIVAKES LLP
`2049 Century Park East, Ste. 2460
`Los Angeles, CA 90067
`Telephone: (310) 979-8700
`Facsimile: (310) 979-8701
`
`Attorneys for Plaintiff SETH SHAPIRO
`
`
`
`
`SETH SHAPIRO, an individual,
`
`Plaintiff,
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THE UNITED STATES DISTRICT COURT
`FOR THE CENTRAL DISTRICT OF CALIFORNIA
`
`
`
`Case No: 2:19-cv-8972
`
`THIRD AMENDED CIVIL
`COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`
`
`
`
`
`
`vs.
`AT&T MOBILITY, LLC,
`SEQUENTIAL TECHNOLOGY
`INTERNATIONAL, LLC., and PRIME
`COMMUNICATIONS, L.P.,
`
`Defendants.
`
`
`
`- 1 -
`THIRD AMENDED COMPLAINT
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 2 of 68 Page ID #:1149
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`I. NATURE OF THE ACTION
`1. This action arises out of the repeated failure of AT&T and its agents to protect
`its wireless cell service subscriber—Seth Shapiro—from its own employees and
`agents, resulting in massive and ongoing violations of Mr. Shapiro’s privacy, the
`compromise of his highly sensitive personal and financial information, and the theft of
`approximately $1,921,355.80 in cryptocurrency, valued at considerably more now due
`to the rise in values since the time of the theft.
`2. AT&T is one of the country’s largest wireless service providers. Tens of
`millions of subscribers entrust AT&T with access to their confidential information,
`including information that can serve as a key to unlock subscribers’ highly sensitive
`personal and financial information.
`3. Recognizing the harms that arise when wireless subscribers’ personal
`information is accessed, disclosed, or used without their consent, federal and state
`laws require AT&T to protect this sensitive information.
`4. AT&T also recognizes the sensitivity of this data, and promises its 150 million
`mobile subscribers that it will safeguard their private information – and particularly
`their data-rich SIM cards – from any unauthorized disclosure. AT&T promises it “will
`protect the privacy of our customers,” will “safeguard the privacy of [customers’]
`personal identifying information,” and “[will] not sell, trade or share [customers’]
`CPNI — including [their] calling records — with anyone outside of the AT&T family
`of companies or with anyone not authorized to represent us to offer our products or
`services, or to perform functions on our behalf except as may be required by law or
`authorized by [the customer].”1 AT&T repeatedly broke these promises.2
`5. In an egregious violation of the law and its own promises, and despite
`
`1 “Privacy Policy,” AT&T, effective June 16, 2006,
`web.archive.org/web/20060618204925/http://www.att.com/privacy/policy/, attached hereto as Exhibit A.
`2 On information and belief, the terms of AT&T’s Privacy Policy remained similar throughout the duration of
`his contract. See Exhibit A1, “Privacy Policy,” AT&T, effective May 2, 2017,
`https://web.archive.org/web/20180519020538/http://about.att.com/sites/privacy_policy/full
`_privacy_policy
`
`
`
`
`
`- 2 -
`THIRD AMENDED COMPLAINT
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 3 of 68 Page ID #:1150
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`advertising itself as a leader in technological development and as a cyber security-
`savvy company, AT&T and its representatives and agents repeatedly failed to protect
`Mr. Shapiro’s account and the sensitive data it contained. AT&T failed to implement
`sufficient data security systems and procedures and failed to supervise its own
`personnel, instead standing by as its employees used their position at the company to
`gain unauthorized access to Mr. Shapiro’s account in order to rob, extort, and threaten
`him in exchange for money.
`6. AT&T’s actions and conduct were a substantial factor in causing significant
`financial and emotional harm to Mr. Shapiro and his family. But for AT&T
`employees’, representatives’ and agents’ involvement in a conspiracy to rob Mr.
`Shapiro, and AT&T’s failure to protect Mr. Shapiro from such harm through adequate
`security and oversight systems and procedures, Mr. Shapiro would not have had his
`personal privacy repeatedly violated and would not have been a victim of SIM swap
`theft.
`7. Mr. Shapiro brings this action to hold AT&T accountable for its violations of
`federal and state law, and to recover for the grave financial and personal harm
`suffered by Mr. Shapiro and his family as a direct result of AT&T’s acts and
`omissions, as detailed herein.
`II. THE PARTIES
`8. Plaintiff Seth Shapiro is, and at all relevant times was, a resident of California.
`Mr. Shapiro currently resides in Torrance, CA, with his wife and two young children.
`9. Mr. Shapiro is a two-time Emmy Award-winning media and technology expert,
`author, and is an adjunct professor at the University of Southern California School of
`Cinematic Arts. He regularly advises Fortune 500 companies on business
`development in media and technology.
`10. Mr. Shapiro is a former AT&T wireless customer. He purchased a wireless cell
`phone plan from AT&T in Los Angeles, California in approximately 2006 for
`personal use and was an active, paying AT&T wireless subscriber at all times relevant
`- 3 -
`THIRD AMENDED COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 4 of 68 Page ID #:1151
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`to the allegations in this Complaint.
`11. Defendant AT&T Mobility, LLC (hereinafter, “AT&T”) is a Delaware limited
`liability corporation with its principal office or place of business in Brookhaven,
`Georgia. AT&T “provides nationwide wireless services to consumers and wholesale
`and resale wireless subscribers located in the United States or U.S. territories” and
`transacts or has transacted business in this District and throughout the United States. It
`is the second largest wireless carrier in the United States, with more than 153 million
`subscribers, earning $71 billion in total operating revenues in 2017 and $71 billion in
`2018. As of December 2017, AT&T had 1,470 retail locations in California.3
`12. AT&T provides wireless service to subscribers in the United States. AT&T is a
`“common carrier” governed by the Federal Communications Act (“FCA”), 47 U.S.C.
`§ 151 et seq. AT&T is regulated by the Federal Communications Commission
`(“FCC”) for its acts and practices, including those occurring in this District.
`13. AT&T Inc., AT&T’s parent company, acknowledged in its 2018 Annual
`Report that its “profits and cash flow are largely driven by [its] Mobility business”
`and “nearly half of [the] company’s EBITDA (earnings before interest, taxes,
`depreciation and amortization) come from Mobility.”4
`14. Despite the importance of its mobility business, instead of focusing on ramping
`up security for its customers, AT&T Inc. instead went on an historic acquisition spree
`costing over $150 billion, acquiring: Bell South (including Cingular Wireless and
`Yellowpages.com), Dobson Communications, Edge Wireless, Cellular One,
`Centennial, Wayport, Qualcomm Spectrum, Leap Wireless, DirecTV, and Iusacell and
`NII Holdings (now AT&T Mexico). During the same period, AT&T’s mobile phone
`business was rated as the worst among major providers. Consumer Reports named it
`the “worst carrier” in 2010, and the next year, J.D. Power found AT&T’s network the
`least reliable in the country—a dubious achievement that it also earned in prior years.
`
`3 “About Us,” AT&T, https://engage.att.com/california/about-us/. All URLs in this complaint
`were last accessed on May 29, 2020.
`4 Id.
`
`
`
`
`
`- 4 -
`THIRD AMENDED COMPLAINT
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 5 of 68 Page ID #:1152
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Little wonder that its customers were the least happy of subscribers of the Big Four
`carriers according to the American Consumer Index. In the meantime, AT&T Inc.
`completed the $85.4 billion purchase of Time Warner Inc.—the owner of HBO,
`Warner Bros, CNN, Turner Broadcasting, Cartoon Network, Turner Classic Movies,
`TBS, TNT and Turner Sports.
`15. Defendant SEQUENTIAL TECHNOLOGY INTERNATIONAL, LLC
`(“Sequential”) is a Delaware Limited Liability Company with its principal place of
`business in Florida. Plaintiff is informed and believes and thereon alleges that
`Sequential acquired the assets and liabilities of Synchronoss Technologies Inc.
`(“Synchronoss”), which had contracted with AT&T contracted to provide call center
`services for AT&T’s mobile phone customers, and is thus legally responsible for the
`acts and omissions of Spring as alleged herein.
`16. Defendant PRIME COMMUNICATIONS, L.P. (“Prime”) is a Texas Limited
`Partnership with its principal place of business in Sugar Land, Texas. Plaintiff is
`informed and believes and thereon alleges that Prime is AT&T’s largest authorized
`dealer in the United States and provided call center services to AT&T. Plaintiff is
`informed and believes and thereon alleges that Prime acquired Spring
`Communications Holdings, Inc. (“Spring”) and all of its assets and liabilities, and is
`thus legally responsible for the acts and omissions of Spring as alleged herein.
`17. At all relevant times, Synchronoss and Spring were AT&T’s authorized
`representatives and agents and performed services for AT&T which were within the
`usual course of AT&T’s business.
`18. At all relevant times, AT&T dictated and controlled the manner and means by
`which Synchronoss and Spring performed their services for AT&T. On information
`and belief, AT&T entered into a master service agreement with Synchronoss and
`Spring which governed the terms and condition of AT&T’s relationship with
`Synchronoss and Spring, and which required the Synchronoss and Spring entities to
`strictly adhere to AT&T’s guidelines, protocols, policies, and procedures relating to
`- 5 -
`THIRD AMENDED COMPLAINT
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 6 of 68 Page ID #:1153
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`customer service, including those relating to SIM swaps. Furthermore, AT&T
`controlled the security measures it implemented across its entire network operation
`(including its own call centers and third-party call centers), as well as the data
`accumulated across the entire network, to monitor, detect and prevent unauthorized
`SIM swaps.
`19. At all relevant times, Synchronoss and Spring employees identified themselves
`to Mr. Shapiro as “AT&T” rather than Synchronoss and Spring (at AT&T’s
`direction), had full access to and use of the AT&T customer database which enabled
`them to perform customer service functions (including SIM swaps), did not disclose
`that they were employed by Synchronoss and Spring, and were in essence de facto
`employees of AT&T, and at a minimum agents of AT&T at all relevant times.
`III. JURISDICTION AND VENUE
`20. This Court has jurisdiction over this matter under 28 U.S.C. § 1331 because
`this case arises under federal question jurisdiction under the Federal Communications
`Act (“FCA”). The Court has supplemental jurisdiction under 28 U.S.C. § 1367 over
`the state law claims because the claims are derived from a common nucleus of
`operative facts. The Court also has jurisdiction over this action pursuant to 28 U.S.C.
`§ 1332 because Mr. Shapiro is a citizen of a different state than AT&T, Synchronoss
`and Spring.
`21. This Court has personal jurisdiction over AT&T and its contractors
`Synchroness and Spring because AT&T purposefully directs its conduct at California,
`transacts substantial business in California (including in this District), has substantial
`aggregate contacts with California (including in this District), engaged and is
`engaging in conduct that has and had a direct, substantial, reasonably foreseeable, and
`intended effect of causing injury to persons in California (including in this District),
`and purposely avails itself of the laws of California. AT&T had more than 33,000
`employees in California as of 2017, and 1,470 retail locations in the state.5Mr. Shapiro
`
`5 “About Us,” AT&T California, supra at 1.
`
`
`
`
`
`- 6 -
`THIRD AMENDED COMPLAINT
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 7 of 68 Page ID #:1154
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`purchased his AT&T wireless plan in California, visited AT&T retail locations in
`California, and was injured in California by the acts and omissions alleged herein.
`22. In accordance with 28 U.S.C. § 1391, venue is proper in this District because a
`substantial part of the conduct giving rise to Mr. Shapiro’s claims occurred in this
`District and Defendant transacts business in this District. Mr. Shapiro purchased his
`AT&T wireless plan in this District and was harmed in this District, where he resided,
`by AT&T’s acts and omissions, as detailed herein.
`IV. ALLEGATIONS APPLICABLE TO ALL COUNTS
`23. As a telecommunications carrier, AT&T is entrusted with the sensitive wireless
`account information and personal data of millions of Americans, including Mr.
`Shapiro’s confidential and sensitive personal and account information. AT&T’s duties
`to safeguard customer information are non-delegable to any other entity, including its
`third-party call contractors such as Synchroness and Spring.
`24. Despite its representations to its customers and its obligations under the law,
`AT&T has failed to protect Mr. Shapiro’s confidential information. On at least four
`occasions between May 16, 2018 and May 18, 2019, AT&T employees,
`representatives and agents obtained unauthorized access to Mr. Shapiro’s AT&T
`wireless account, viewed his confidential and proprietary personal information, and
`transferred control over Mr. Shapiro’s AT&T wireless number from Mr. Shapiro’s
`phone to a phone controlled by third-party hackers in exchange for money. The
`hackers then utilized their control over Mr. Shapiro’s AT&T wireless number—
`including control secured through cooperation with AT&T employees—to access his
`personal and digital finance accounts and steal more than $1.9 million from Mr.
`Shapiro, which is valued much higher today because of the increase in cryptocurrency
`values.
`25. This type of telecommunications account hacking behavior is known as “SIM
`swapping.”
`A. SIM Swapping is a Type of Identity Theft Involving the Transfer of a
`- 7 -
`THIRD AMENDED COMPLAINT
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 8 of 68 Page ID #:1155
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Mobile Phone Number.
`26. A “SIM swap” is a relatively simple scheme, wherein a hacker gains control of
`a victim’s mobile phone number and service in order to intercept communications,
`including text messages, intended for the victim. The hackers then use that phone
`number as a key to access and take over the victim’s digital accounts, such as email,
`file storage, and financial accounts.
`27. Most cell phones, including the iPhone owned by Mr. Shapiro at the time of his
`SIM swaps, have internal SIM (“subscriber identity module”) cards. A SIM card is a
`small, removable chip that allows a cell phone to communicate with the wireless
`carrier and the carrier to know what subscriber account is associated with that phone.
`The connection between the phone and the SIM card is made by the carrier, which
`pairs each SIM card with the physical phone’s IMEI (“international mobile equipment
`identity”), which is akin to the phone’s serial number. Without a working SIM card
`and effective SIM connection, a phone typically cannot send or receive calls or text
`messages over the carrier network. SIM cards can also store a limited amount of
`account data, including contacts, text messages, and carrier information, and that data
`can help identify the subscriber.
`28. The SIM card associated with a wireless phone can be changed. If a carrier
`customer buys a new phone that requires a different sized SIM card, for example, the
`customer can associate his or her account with a new SIM card and the new phone’s
`IMEI by working with their cell phone carrier to effectuate the change. This allows
`carrier customers to move their wireless number from one cell phone to another and to
`continue accessing the carrier network when they switch cell phones. For a SIM card
`change to be effective, the carrier must authenticate the request and actualize the
`change. AT&T allows its employees to conduct SIM card changes for its customers
`remotely or in its retail stores.
`29. A SIM swap refers to an unauthorized and illegitimate SIM card change.
`During a SIM swap attack, the SIM card associated with the victim’s wireless account
`- 8 -
`THIRD AMENDED COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 9 of 68 Page ID #:1156
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`is switched from the victim’s phone to a phone controlled by a third party. This
`effectively moves the victim’s wireless phone—including access to incoming data,
`texts, and phone calls associated with the victim’s phone—from the victim’s phone to
`a phone controlled by the third party (also referred to herein as a “hacker”). The
`hacker’s phone then becomes the only phone associated with the victim’s carrier
`account, and the hacker receives all of the text messages and phone calls intended for
`the victim.6 Meanwhile, the victim’s phone loses its connection to the carrier network.
`30. Once hackers have control over the victim’s phone number, they can use that
`control to access the victim’s personal online accounts, such as email and banking
`accounts, through exploiting password reset links sent via text message to the now-
`hacker-controlled-phone or the two-factor authentication processes associated with the
`victim’s digital accounts. Two-factor authentication allows digital accounts to be
`accessed without a password, or allows the account password to be changed. One
`common form of two-factor authentication is text messaging. Rather than enter a
`password, the hacker requests that a password reset be sent to the mobile phone
`number associated with the account. Because the hacker now controls that phone
`number, the reset code is sent to them. The hacker can then log into, and change the
`password for, the victim’s email, financial and other accounts, allowing them to
`access the contents of the account.7
`31. The involvement of a SIM swap victim’s wireless carrier is critical to a SIM
`swap. In order for an unauthorized SIM swap to occur and for a SIM swap victim to
`
`
`6 As described by federal authorities in prosecuting SIM swap cases, SIM swapping enables hackers to “gain
`control of a victim’s mobile phone number by linking that number to a subscriber identity module (‘SIM’)
`card controlled by [the hackers]—resulting in the victim’s phone calls and short message service (‘SMS’)
`messages being routed to a device controlled by [a hacker].” United States of America v. Conor Freeman, No.
`2:19-cr-20246-DPH-APP (E.D. Mich. Filed Apr. 18, 2019) (hereafter, “Freeman Indictment”), ECF. No. 1 ¶ 3
`(attached hereto as Exhibit B).
`7 See, e.g., id. at ¶ 4 (“Once [hackers] had control of a victim’s phone number, it was leveraged as a gateway
`to gain control of online accounts such as the victim’s email, cloud storage, and cryptocurrency exchange
`accounts. Sometimes this was achieved by requesting a password-reset link be sent via [text messaging] to the
`device control by [hackers]. Sometimes passwords were compromised by other means, and [the hacker’s]
`device was used to received two-factor authentication (‘2FA’) message sent via [text message] intended for
`the victim.”).
`- 9 -
`THIRD AMENDED COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 10 of 68 Page ID #:1157
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`be at any risk, the carrier must receive a request to change a victim’s SIM card and
`effectuate the transfer of the victim’s phone number from one SIM card to another.
`32. In Mr. Shapiro’s case, not only did AT&T employees, representatives and
`agents access his account and authorize changes to that account without Mr. Shapiro’s
`consent, but its employees actively profited from this unauthorized access by
`knowingly giving control over his phone number to hackers for the purposes of
`robbing him.
`
`B. AT&T Allowed Unauthorized Access to Mr. Shapiro’s Account Four
`Times Over the Course of Approximately One Year.
`33. On four occasions in 2018 and 2019, Mr. Shapiro was the victim of an
`unauthorized “SIM swap.”
`34. Between May 16, 2018 and May 18, 2019, AT&T employees, representatives
`and agents accessed Mr. Shapiro’s AT&T wireless account without his authorization,
`obtained his confidential and proprietary personal information, and sold that
`information to third parties who then used it to steal from Mr. Shapiro, access his
`sensitive and confidential information, and threaten his family.
`
`
`The First SIM swap (May 16, 2018)
`35. On May 16, 2018 at approximately 1:35 PM ET, Mr. Shapiro’s AT&T SIM
`card was changed without his knowledge or authorization for the first time. On
`information and belief, the first SIM swap was conducted by an employee or agent of
`AT&T agent Synchronoss.
`36. At the time of the SIM swap, Mr. Shapiro was attending a conference in New
`York City. He noticed that his AT&T cell phone had lost service. Mr. Shapiro’s
`device was no longer connected to the AT&T wireless network, and he was no longer
`able to place or receive wireless calls.
`37. Mr. Shapiro immediately suspected that a SIM swap attack was underway and
`called AT&T to secure his account. Mr. Shapiro informed the AT&T customer service
`agent that he suspected his account had been accessed without authorization and that
`- 10 -
`THIRD AMENDED COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 11 of 68 Page ID #:1158
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`he was in possession of large amounts of digital currency, which he feared could be at
`risk.
`38. During his call with AT&T, Mr. Shapiro repeatedly asked to speak to upper
`management or to be connected to the AT&T department responsible for security.
`AT&T records confirm Mr. Shapiro’s request to speak to the fraud department. Mr.
`Shapiro was (incorrectly) told that no such department existed, and his call was never
`escalated to management. Instead, he was put on lengthy holds and ultimately told to
`turn off his phone and go to an AT&T retail location for further assistance. His AT&T
`service was then suspended.
`39. Immediately upon ending the call with AT&T’s customer service, Mr. Shapiro
`went to an AT&T retail store in Manhattan, New York.8 On information and belief,
`the store was owned and operated by AT&T. Upon arriving, Mr. Shapiro informed
`AT&T employees, representatives and agents —including an AT&T sales
`representative, Juneice Arias—that he suspected unauthorized SIM swap activity on
`his account and once again advised that he had confidential information and digital
`currency at risk.
`40. AT&T employees, representatives and agents told Mr. Shapiro at that time that
`they had noted the SIM swap activity in his account. Mr. Shapiro implored AT&T for
`its assurance that it would not allow his mobile phone number to be swapped out
`again because the financial life or death of his family was at stake. An AT&T
`employee, representative and agent assured him that they were monitoring his account
`and that his SIM card would not be swapped again without his authorization. On this
`assurance, Mr. Shapiro decided not to close his AT&T account.
`41. AT&T employees, representatives and agents advised Mr. Shapiro to purchase
`a new wireless phone with a new SIM card from AT&T. AT&T employees,
`representatives and agents assured Mr. Shapiro that purchasing a new wireless phone
`
`
`8 This AT&T retail store is located at 1330 Avenue of the Americas, New York, NY 10019, and is listed on
`the att.com corporate website as an “AT&T” store.
`
`
`
`
`
`- 11 -
`THIRD AMENDED COMPLAINT
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 12 of 68 Page ID #:1159
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`with a new SIM card would secure his account and prevent additional SIM swap
`attacks. In reliance on this assurance, Mr. Shapiro purchased a new iPhone for several
`hundred dollars, as well as a new SIM card, in the AT&T retail store.9 AT&T
`employees then activated the new phone and the new SIM card and restored Mr.
`Shapiro’s service, thereby allowing Mr. Shapiro to regain control over his AT&T cell
`phone number.
`
`
`The Second SIM Swap (May 16, 2018)
`42. Mere minutes later—while Mr. Shapiro was still in the AT&T retail store—Mr.
`Shapiro’s AT&T account was again improperly accessed, and the SIM card associated
`with his phone number was changed. Mr. Shapiro again lost control over his AT&T
`cell phone number. On information and belief, the first SIM swap was conducted by
`an employee or agent of AT&T agent Synchronoss.
`43. Mr. Shapiro immediately informed AT&T employees, representatives and
`agents that AT&T had once again allowed an unauthorized SIM swap. Employees
`informed him that he needed to wait until it was his turn to be assisted.
`44. Mr. Shapiro waited for approximately 45 minutes inside the AT&T retail store
`for help from AT&T employees, representatives and agents. In that time, third-party
`individuals were able to use their control over Mr. Shapiro’s AT&T cell phone
`number to access Mr. Shapiro’s personal and financial accounts and rob him of
`approximately $1.9 million (and valued much higher today because of the increase in
`cryptocurrency values), all while Mr. Shapiro stood helplessly in the AT&T store
`asking for the company’s help.
`45. While third parties had control over Mr. Shapiro’s AT&T wireless number,
`they used that control to access and reset the passwords for Mr. Shapiro’s email
`accounts, applications, and accounts on cryptocurrency exchange platforms, including
`KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui,
`and Bitfinex. Cryptocurrency exchanges are online platforms where different forms of
`
`9 “Privacy Policy,” AT&T, supra, attached hereto as Exhibit A.
`- 12 -
`THIRD AMENDED COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 13 of 68 Page ID #:1160
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`cryptocurrency (e.g. bitcoin) are bought and sold.
`46. Before the May 2018 SIM swaps, Mr. Shapiro had raised funds in the form of
`cryptocurrency for a new business venture. This capital, as well as Mr. Shapiro’s
`personal funds, was accessed by the hackers utilizing their control over Mr. Shapiro’s
`AT&T wireless number, although the business funds were stored separately from Mr.
`Shapiro’s personal funds.
`47. By utilizing their control over Mr. Shapiro’s AT&T cell phone number—and
`the control of additional accounts (such as his email) secured through that number by
`utilizing two factor authentication—these third-party hackers were able to access Mr.
`Shapiro’s accounts on various cryptocurrency exchange platforms, including the
`accounts he controlled on behalf of his business venture. The hackers then transferred
`Mr. Shapiro’s currency from Mr. Shapiro’s accounts into accounts that they
`controlled.10 In all, they stole more than $1.9 million from Mr. Shapiro in the two
`consecutive SIM swap attacks on May 16, 2018, which is valued much higher today
`because of the increase in cryptocurrency values.
`48. On information and belief, the hackers also utilized their control over Mr.
`Shapiro’s AT&T wireless number to access and steal Mr. Shapiro’s currency on
`cryptocurrency exchanges (including Liqui.io, Livecoin, and Huobi) to which Mr.
`Shapiro was never able to regain access.
`49. The hackers also used their control over Mr. Shapiro’s AT&T cell phone
`number to access and change the passwords for approximately 15 of Mr. Shapiro’s
`online accounts, including four email addresses, his Evernote account (a web
`application for taking notes and making task lists), and his PayPal account (a digital
`payment platform).
`50. It took Mr. Shapiro approximately 14 hours to regain access to and restore
`
`10 See Affidavit for Search Warrant, Florida v. Ricky Handschumacher, No. 18-cf-4271-AXWS (6th Dist. Fl.
`July 25, 2018) (attached hereto as Exhibit C) at p. 8 (explaining how hackers—including hackers involved in
`robbing Mr. Shapiro—would “gain access to the victim’s email accounts and cryptocurrency exchanges . . .
`[and] use the victim’s funds to purchase cryptocurrencies and transfer it to a accounts [sic] or wallets the
`[hackers] controlled.”). Due to the nature of cryptocurrency, this process makes it extremely difficult to track
`and seize the location of stolen cryptocurrency.
`- 13 -
`THIRD AMENDED COMPLAINT
`
`
`
`
`
`

`

`Case 2:19-cv-08972-CBM-FFM Document 55 Filed 04/05/21 Page 14 of 68 Page ID #:1161
`
`
`control over his email and other personal accounts. By then, however, the damage was
`done: these accounts, and all of their contents, had already been compromised.
`51. Criminal investigations into the May 2018 breaches to Mr. Shapiro’s AT&T
`account and the resulting theft revealed that at least two AT&T employees,
`representatives and agents, acting in the scope of their employment and agency,
`accessed and permitted others to access Mr. Shapiro’s AT&T account and the
`confidential information contained therein.11 As federal authorities describe, “These
`employees, while not necessarily knowing the entirety of [the hackers] plans, were
`aware that they were assisting in the theft of identities of subscribers to their
`employer’s services.”12
`52. The two AT&T employees, representatives and agents involved, Robert Jack
`and Jarratt White,13 reside in Arizona. AT&T confirmed their status as employees,
`representatives or agents ,14 their involvement in the unauthorized access of Mr.
`Shapiro’s account,15 and their involvement in the two SIM swaps that occurred on
`May 16, 2018.
`53. Specifically, criminal investigations reveal that a third-party (an individual
`identified by authorities as “JD”) paid Jack and White to change the SIM card
`associated with Mr. Shapiro’s AT&T account from the SIM card in Mr. Shapiro’s
`phone to a SIM card in a phone controlled by JD and others.16
`54. In order to effectuate the swaps, Jack and/or White used their access to Mr.
`Shapiro’s account—access gained through their AT&T employment—to view his
`
`
`11 See Criminal Complaint & Affidavit, United States of America v. Jarratt White, No. 2:19-mj- 30227-
`DUTY (E.D. Mich. Filed May 2, 2019) (hereafter, “White Affidavit”), ECF No. 1 (attached hereto as Exhibit
`D).
`12 Id. ¶ 8.
`13 Id. ¶¶ 10-15 (describing White’s involvement in the unauthorized access of Mr. Shapiro’s
`AT&T account and the resulting theft) and ¶¶ 16-19 (describing Jack’s involvement).
`14 Id. ¶ 15 (“AT&T confirmed that WHITE was a contract employee from Tucson, Arizona.”) and ¶
`16 (“Based on records provided from AT&T, ROBERT JACK, a second AT&T contract employee
`from Tucson, Arizona . . . .”)
`15 Id. ¶¶ 11, 15-16.
`16 Id. ¶¶ 11, 16-19.
`