`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 1 of 90
`
`
`
`
`EXHIBIT “A”
`EXHIBIT “A”
`
`
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 2 of 90
`
`Matt Putterman (CA Bar No. 306845)
`PUTTERMAN LAW, APC
`23 Corporate Plaza Drive - Suite 150
`Newport Beach, CA 92660
`Telephone: (949) 271-6382
`E-Mail: Matt@Putterman-Law.com
`
`David C. Silver, Esq. (Pro Hac Vice - DE 10)
`SILVER MILLER
`11780 W. Sample Road4450 NW 126th Avenue - Suite 101
`Coral Springs, Florida 33065
`Telephone: (954) 516-6000
`E-Mail: DSilver@SilverMillerLaw.com
`
`Attorneys for Plaintiff Daniel Fraser
`
`
`UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`Plaintiff,
`
`
`DANIEL FRASER, an individual;
`
`
`v.
`
`MINT MOBILE, LLC, a Delaware limited
`liability company;
`
`Defendant.
`
`
`Case No. 3:22-cv-00138-WHA
`
`FIRST AMENDED COMPLAINT FOR:
`(1) DECLARATORY JUDGMENT
`(2) BREACH OF FEDERAL
`COMMUNICATIONS ACT [47 U.S.C. §§ 206,
`222]
`(3) VIOLATION OF COMPUTER FRAUD
`AND ABUSE ACT (“CFAA”) [18 U.S.C. §
`1030(a)(2)(C) and 1030(a)(4)]
`(4) VIOLATION OF CALIFORNIA UNFAIR
`COMPETITION LAW - CAL. BUS. & PROF.
`CODE § 17200 et seq.
`(5) VIOLATION OF CALIFORNIA UNFAIR
`COMPETITION LAW - CAL. BUS. & PROF.
`CODE § 17200 et seq.
`(6) VIOLATION OF CALIFORNIA UNFAIR
`COMPETITION LAW - CAL. BUS. & PROF.
`CODE § 17200 et seq.
`(7) NEGLIGENCE
`(8) NEGLIGENT MISREPRESENTATION
`(9) NEGLIGENT TRAINING AND
`SUPERVISION
`(10) BREACH OF CONTRACT
`(11) BREACH OF IMPLIED CONTRACT
`(12) BREACH OF IMPLIED DUTY OF
`GOOD FAITH AND FAIR DEALING
`
`
`
`
`
`
`
`
`
`
`
`
`Case No. 3:22-cv-00138-WHA
`
`FIRST AMENDED COMPLAINT
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 3 of 90
`
`
`
`Plaintiff DANEIL FRASER, an individual (hereafter referred to as “Plaintiff”), by and through
`undersigned counsel, hereby sues Defendant MINT MOBILE, LLC, a Delaware limited liability
`company (“Defendant” or “MINT”), for damages and equitable relief. As grounds therefor, Plaintiff
`alleges the following:
`
`PRELIMINARY STATEMENT
`1.
`This action is brought by Plaintiff, a MINT customer who lost approximately Four
`Hundred Sixty-Six Thousand Dollars ($466,000.00) worth of cryptocurrency in an ongoing identity
`theft crime called “SIM hijacking.”
`2.
`A subscriber identity module, widely known as a “SIM card,” stores user data in phones
`on the Global System for Mobile (GSM) network -- the radio network used by MINT, operating on T-
`Mobile’s GSM-based network, to provide cellular telephone service to its subscribers.
`3.
`MINT is a mobile virtual network operator (“MVNO”) that operates on the
`infrastructure of T-Mobile’s existing network.
`4.
`SIM cards are principally used to authenticate cellphone subscriptions; as without a SIM
`card, GSM phones are not able to connect to T-Mobile’s telecommunications network.
`5.
`Not only is a SIM card vital to using a phone on the MINT network, the SIM card also
`holds immeasurable value as a tool to identify the user of the phone -- a power that can be corrupted to
`steal the identity of that user.
`6.
`Preserving the security surrounding a MINT accountholder’s SIM card and account with
`the phone carrier is a duty of paramount importance.
`7.
`MINT expressly acknowledges that MINT’s consumers “have a right, and [Mint
`Mobile] has a duty, to protect the confidentiality of information regarding your telephone use, the
`
`services you purchase from us, the calls you place and the location of your device on our network when
`you make a telephone call” and that once MINT “receive[s] your personal information, we take steps
`that we believe are reasonable to limit access to your personal information to only those employees
`
`and service providers whom we determine need access to the personal information to provide the
`
`requested products, services, offers or opportunities that may be of interest to you or that you have
`ordered.”
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 2 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 4 of 90
`
`
`
`8.
`Likewise, MINT acknowledges “us[ing] technology and security features and strict
`policy guidelines to safeguard the privacy of CPNI and protect it from unauthorized access or improper
`
`use. Mint Mobile does not disclose CPNI outside of Mint Mobile, its affiliates and their respective
`agents without customer consent except as required by law.”
`9.
`Those statements are consistent with MINT’s duties and obligations under the Federal
`Communications Act of 1934 and the pertinent implementing regulations.
`10. Moreover, MINT is well aware of the pervasive harm posed by SIM hijacking, as its co-
`founder Rizwan Kassim has publicly acknowledged the issue as far back as 2019.1
`11.
`Notwithstanding the importance of the duty MINT concedes that it bears, MINT
`breached its duty to safeguard the data it had collected from and about Plaintiff; and MINT facilitated
`the theft of Plaintiff’s identity and his assets.
`12.
`As reported by numerous media sources2, MINT exposed to hackers and countless
`unauthorized persons on or about June 8, 2021 through June 10, 2021 the personal identifying
`information of a number of MINT subscribers, including the subscribers’ names, addresses, e-mail
`addresses, phone numbers, account numbers, and passwords.
`Plaintiff was among the unfortunate MINT subscribers whose personal
`13.
`information was exposed by MINT in June 2021.
`14.
`Shortly after the data breach, MINT confirmed in an e-mail to Plaintiff that his MINT
`account had been compromised and that, as a result, his phone number has been ported to another
`mobile telecommunications carrier:
`
`
`1 See, e.g., “SIM hijacking/Port Out Fraud: we might be at risk!”, Reddit (January 7, 2019),
`https://www.reddit.com/r/mintmobile/comments/adjdw7/sim_hijacking_port_out_fraud_we_might_be_at_risk/.
`2 See, e.g., “Mint Mobile hit by a data breach after numbers ported, data accessed,” Bleeping Computer
`(July 10, 2021), https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-
`after-numbers-ported-data-accessed/; “Hackers Access Personal and Call Information and Port
`Numbers
`in Mint Mobile Data Breach,” CPO Magazine
`(July
`22,
`2021),
`https://www.cpomagazine.com/cyber-security/hackers-access-personal-and-call-information-and-
`port-numbers-in-mint-mobile-data-breach/.
`
`- 3 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 5 of 90
`
`
`
`
`
`
`
`
`
`
`
`
`Attached hereto as Exhibit “A” is a true and correct copy of the entire July 9, 2021 message sent by
`MINT to Plaintiff.
`15. MINT ported out Plaintiff’s phone number to an unauthorized person in an unauthorized
`manner on June 11, 2021 even though just days earlier (June 8, 2021), Plaintiff had implemented “PIN
`verification” on his MINT account which, for security purposes, required anyone contacting MINT to
`provide a one-time temporary passcode to make any changes on Plaintiff’s account, including
`transferring his phone service to a different telecommunications provider.
`16.
`On June 11, 2021, swiftly following MINT’s release of Plaintiff’s personal identifying
`information and account to an unauthorized person, Plaintiff was robbed of his assets -- an act that
`would not have happened but for MINT providing the unauthorized person all of the tools needed to
`commit such a heinous and devastating act.
`17.
`“SIM hijacking” is not merely an ongoing crime; it is a booming crime -- especially one
`that targets cryptocurrency investors.
`18.
`Over the past three years alone, undersigned counsel has represented nearly three
`hundred (300) SIM hijacking victims across the country whose individual cryptocurrency losses have
`ranged from as little as $3,000.00 to as much as $12,500,000.00.
`19.
`Notwithstanding MINT’s knowledge of the prevalence of SIM hijacking and its
`assurance that it was actively protecting its customers, those measures did not adequately protect
`Plaintiff from the harm he suffered.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 4 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 6 of 90
`
`
`
`20.
`Furthermore, in a Criminal Complaint filed by the U.S. Department of Justice in a
`Michigan federal court in mid-20193, it is painfully apparent that employees at cellphone service
`providers are willingly responding to solicitations to join criminal enterprises focused on effectuating
`SIM hijacks. As stated in the Criminal Complaint, the U.S. Attorney’s Office has evidence
`demonstrating that AT&T employees Jarratt White and Robert Jack and Verizon employee Fendley
`Joseph (in return for payment) actively, knowingly, and intentionally assisted a criminal enterprise
`known as “The Community” by providing Personal Identifiable Information (PII) for targeted
`cellphone customers; and that with the PII that the cellphone carrier employees provided, members of
`The Community would then call the cellphone carriers and impersonate each target customer to get the
`target’s phone number reassigned to a device controlled by The Community. At the present time, it is
`believed that The Community -- with assistance from employees at numerous cellphone service
`providers -- facilitated SIM hijacks leading to the theft of more than $2,200,000.00 of cryptocurrency
`from targeted cellphone service accountholders.
`21.
`As a result of MINT’s failures if not active participation in SIM port theft that was
`inflicted upon him, Plaintiff had approximately Four Hundred Sixty-Six Thousand Dollars
`($466,000.00) of assets stolen from him in June 2021.
`22.
`Plaintiff seeks compensatory and equitable relief restoring to him the assets and funds
`that were illegally taken from him.
`
`THE PARTIES
`PLAINTIFF
`23.
`Plaintiff DANIEL FRASER (“Plaintiff” or “FRASER”) is an individual domiciled in
`San Ramon, California and is sui juris. At all times material, Plaintiff has been an accountholder and
`subscriber with MINT. Among other things, Plaintiff’s subscription with MINT permitted Plaintiff to
`use his cellphone for the following -- all of which Plaintiff in fact did with his phone: make and receive
`telephone calls with people around the world, send and receive text messages with people around the
`world, and access the internet and websites around the world through one or more web browsers.
`
`3 U.S.A. v. Jarratt White, Robert Jack, and Fendley Joseph, U.S. Dist. Ct. - Eastern District of Michigan,
`Case No. 2:19-mj-30227.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 5 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 7 of 90
`
`
`
`DEFENDANT
`24.
`Defendant MINT is a Delaware limited liability company which lists its principal place
`of business in Costa Mesa, California. MINT functions as a mobile virtual network operator (MVNO)
`on T-Mobile’s cellular network, meaning it uses T-Mobile’s network but is not owned by T-Mobile.
`MINT provides wireless service to subscribers in the United States and Puerto Rico.
`JURISDICTION AND VENUE
`25.
`This Court has original jurisdiction over the subject matter of this action pursuant to 28
`U.S.C. § 1331, because the matter in controversy arises under the laws of the United States.
`26.
`This Court also has supplemental jurisdiction over the state law claims pursuant to 28
`U.S.C. § 1367.
`27.
`This Court has personal jurisdiction over Defendant because: (a) Defendant is operating,
`present, and/or doing business within this District, and (b) Defendant’s breaches and unlawful activity
`occurred within this District.
`28.
`Venue is proper pursuant to 28 U.S.C. § 1391 in that Defendant resides in this judicial
`district and Defendant is subject to the court’s personal jurisdiction with respect to this action. In light
`of the foregoing, this District is a proper venue in which to adjudicate this dispute.
`GENERAL FACTUAL ALLEGATIONS
`MINT MOBILE’S BUSINESS AND CUSTOMER ASSURANCES
`29. MINT markets and sells wireless telephone service through wireless service plans online
`
`only.
`
`30.
`In connection with its wireless services, MINT maintains wireless accounts enabling its
`customers to have access to information about the services they purchase from MINT.
`31.
`It is widely recognized that mishandling of customer wireless accounts can facilitate
`identify theft and related consumer harms.
`32. MINT expressly acknowledges that MINT customers “have a right, and Mint Mobile
`has a duty, to protect the confidentiality of [your Customer Proprietary Network Information].”
`33.
`Among other things, MINT’s Privacy Policy states: “We take precautions and have
`implemented certain technical measures intended to protect against unauthorized access to, disclosure
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 6 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 8 of 90
`
`
`
`of, and unlawful interception of [your] personal information. *** Once we receive your personal
`information, we take steps that we believe are reasonable to limit access to your personal
`information….”
`34.
`Despite these statements and other similar statements, MINT fails to provide reasonable
`and appropriate security to prevent unauthorized access to customer accounts.
`35.
`Under MINT’s procedures, an unauthorized person -- including MINT’s own agents and
`employees acting without the customer’s permission -- can easily impersonate the identity of the
`accountholder and then access and make changes to all the information that a legitimate customer could
`access and to which the customer could make changes if the customer were so authorized. For example,
`a simple Google search may reveal the information used to verify the identity of an accountholder, such
`as an address, zip code, telephone number, and/or e-mail address.
`36. MINT also fails to adequately disclose that its automated processes or human
`performances often fall short of its express and implied representations or promises.
`HOW SIM PORTING WORKS
`37.
`“SIM hijacking” is a growing crime in the telecommunications world that requires little
`more than a thorough Google search, a willing and/or negligent telecommunications carrier
`representative, and an electronic or in-person impersonation of the victim.
`“SIM hijacking” normally takes one of two forms: “SIM swapping” (in which the
`38.
`victim’s telephone service is transferred to an unauthorized person serviced by the same mobile
`telecommunications provider as the victim) or “SIM porting” (in which the victim’s telephone service
`is transferred to an unauthorized person serviced by a mobile telecommunications carrier different from
`that of the victim). Although the path to the hijacking is slightly different between the two, the results
`to the victim are the same -- loss of mobile telephone service, identity theft, and oftentimes theft of
`assets.
`
`39.
`In the instant matter, because Plaintiff is the victim of a SIM port, that is the path that
`will be discussed herein.
`40.
`The theft begins when MINT -- acting through MINT agents -- allows an unauthorized
`person access to a wireless telephone account without the knowledge of the accountholder.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 7 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 9 of 90
`
`
`
`41.
`Often working in tandem with MINT employees -- who purposefully or negligently leak
`consumer data to third parties and/or the internet as a whole -- an unauthorized person using the
`personal identifying information provided by MINT instructs a mobile telecommunications provider
`like AT&T Wireless, T-Mobile, or Verizon to contact MINT’s technical support department with a
`computerized request to transfer the victim’s MINT phone service to the alternative mobile
`telecommunications provider under the guise that the individual making the request to transfer service
`is actually the victim.
`42.
`In actuality, the unauthorized person acts intending to assume the electronic identity of
`the target of the crime by possessing and utilizing information that only MINT should have.
`43.
`Under current federal regulations, the only identifying criteria required to process a
`request for a SIM port are: (1) 10-digit telephone number, (2) customer account number, (3) 5-digit
`ZIP Code of the accountholder’s registered service address, and (4) passcode [if applicable].
`44.
`Upon information and belief, MINT undertakes no measures beyond those minimal
`requirements to ensure the legitimacy of a SIM port request.
`45.
`According to an April 2021 posting on Reddit.com4, MINT’s glaring lack of security to
`prevent unauthorized port out requests exposed all MINT subscribers to SIM hijacking:
`
`
`
`
`46.
`Upon further information and belief, according to MINT co-founder Rizwan Kassim’s
`response to the above-cited criticism, MINT only recently instituted a function that would allow some
`
`
`4 https://www.reddit.com/r/mintmobile/comments/n96hm1/when_will_mint_mobile_have_2fa/.
`
`- 8 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 10 of 90
`
`
`
`of its accountholders to implement a security passcode on their MINT accounts -- the lack of which
`makes the porting process even easier and even more prone to fraud:.
`
`
`
`
`
`47.
`As noted in Mr. Kassim’s public posting, the “broader set of security items” were not
`in place in early-June 2021.
`48.
`In essence, the only information that an unauthorized person would need to take over a
`MINT subscriber’s account and have the subscriber’s phone service ported to a different carrier is: (1)
`the victim’s 10-digit telephone number, (2) the victim’s MINT account number, (3) the 5-digit ZIP
`Code of the victim’s registered service address, and (4) [if implemented on an account] some sort of
`“PIN verification.”
`49.
`Using the above-criteria and/or other personal identifying information provided by
`MINT about a MINT accountholder (in this case, through MINT’s systemwide data leak), the thief
`impersonates the actual MINT accountholder and instructs a different mobile telecommunications
`provider (e.g., AT&T, Verizon, or T-Mobile) to initiate a computerized “port request” with MINT to
`have the accountholder’s phone number transferred away from MINT and to the new service provider.
`50.
`Although the “port request” is commonly categorized as a computer-to-computer
`interaction, the request must be initiated by the new mobile telecommunications provider by inputting
`the necessary validating criteria and identifying information -- something that can only take place if the
`requesting party knows that validating criteria and identifying information.
`51.
`In the case of an unauthorized SIM port, that information is illegally obtained from
`and/or illegally provided by MINT.
`52.
`By getting the target’s MINT wireless telephone number transferred to a new SIM card
`that he owns, the thief is able to bypass all security measures in place on the accountholder’s account
`to effectuate the transfer.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 9 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 11 of 90
`
`
`
`53. Whether acting as a co-conspirator to the theft or through willful and/or abject
`negligence, MINT transfers (or “ports”) to the unauthorized person the MINT accountholder’s wireless
`telephone number -- disconnecting the telephone number from the actual MINT accountholder’s
`wireless phone’s SIM card and then connecting the telephone number to a SIM card under the control
`of the unauthorized person.
`54.
`From there, the victim loses MINT service (including the ability to send or receive talk,
`text, or data transmissions), given that only one SIM card can be connected to MINT’s network with
`any given telephone number at a time.
`55.
`Using the information provided by MINT, the thief then assumes the victim’s electronic
`identity, beginning with his electronic mail address, which the thief overtakes employing a simple
`“Password Reset” feature that requires control of the victim’s cellphone number (which was supplied
`to the thief by MINT).
`56.
`Having been delivered the victim’s MINT telephone number and, directly or indirectly,
`his electronic mail address, the thief then diverts to himself access to the victim’s banking and
`investment accounts (including cryptocurrency holdings) by similarly using the victim’s MINT
`telephone number as a “recovery method” to reset passwords and access to those accounts -- even if
`the victim had two-factor authentication activated as a security measure on his accounts.
`57.
`At that point, the thief absconds with the victim’s cryptocurrency holdings and other
`personal assets -- all triggered by MINT enabling the unauthorized person the ability to bypass the
`security measures MINT represented to its accountholder would keep his personal information safe
`from theft.
`58.
`To be clear, simply knowing an accountholder’s cellphone number or e-mail address is
`not enough. The key is having control over and securing those vital electronic gateways to information
`and communication; and MINT has contumaciously placed the keys to those gates directly into the
`unauthorized person’s hands while simultaneously denying its accountholders their power over such
`things.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 10 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 12 of 90
`
`
`
`PLAINTIFF’S SIM PORT AND HACK AND THEFT OF PLAINTIFF’S ASSETS
`59.
`On June 8, 2021, Plaintiff communicated with MINT Customer Service representatives
`and, for security purposes, implemented on his MINT account the “PIN Verification” feature, which
`required that a one-time temporary passcode be timely submitted to MINT to verify that any change
`being requested on his MINT account was actually coming from Plaintiff -- the MINT accountholder,
`not an unauthorized interloper or hacker.
`60.
`In the instant matter, MINT bypassed the enhanced security of which Plaintiff had
`availed himself just a few days earlier and provided to an unauthorized person not just all of the
`information the unauthorized person needed to take over Plaintiff’s MINT account and get it ported but
`also vital additional personal identifying information that facilitated the theft of Plaintiff’s identity and
`his cryptocurrency assets.
`61.
`As noted above, MINT leaked some or all of the following:
`
`
`
`
`
`
`
`62. Whether acting as a co-conspirator to the theft or through abject negligence, MINT
`transferred to the unknown and unauthorized party control over Plaintiff’s mobile telephone number
`and e-mail address, which ultimately led to the theft of approximately Four Hundred Sixty-Six
`Thousand Dollars ($466,000.00) in cryptocurrency assets from Plaintiff on or about June 11, 2021.
`63.
`Despite Plaintiff’s reasonable diligence in protecting the information required to access
`his e-mail and financial accounts, his efforts were thwarted when MINT handed the thief the tools
`needed to take control of those accounts -- namely, control over Plaintiff’s cellphone number, control
`
`- 11 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 13 of 90
`
`
`
`over his e-mail address, and control over receipt of password-reset text messages, which is all that is
`needed to assume Plaintiff’s digital identity as far as several of those accounts are concerned.
`64. MINT ported Plaintiff’s mobile phone account to another carrier (Metro by T-Mobile)
`on or about June 11, 2021 without Plaintiff’s authorization or prior knowledge.
`65.
`Once the unauthorized person was finally so empowered by MINT with Plaintiff’s
`personal information, he set out to abscond with Plaintiff’s assets.
`66.
`Specifically, commencing on or about June 11, 2021, the unauthorized and unknown
`person -- all without Plaintiff’s knowledge or authorization -- withdrew from Plaintiff’s cryptocurrency
`account the following cryptocurrency assets:
`
`Date: June 11, 2021, 8:08 a.m.
`
`Name: Daniel Fraser
`Mint Mobile permits unauthorized
`transfer of Mr. Fraser’s SIM card
`
`
`
`
`
`Date of
`Cryptocurrency
`Theft
`
`June 11, 2021
`9:19 a.m.
`June 11, 2021
`9:20 a.m.
`June 11, 2021
`9:20 a.m.
`June 11, 2021
`9:21 a.m.
`June 11, 2021
`9:22 a.m.
`June 11, 2021
`9:22 a.m.
`June 11, 2021
`10:11 a.m.
`
`Cryptocurrency
`Assets Stolen
`
`
`which Assets were
`Stolen
`
`Location from Approximate Value of
`Funds/ Assets Stolen
`as of Date of Theft
`[June 11, 2021]5
`
`82.446355830983653777 ETH
`
`4.19851172 BTC
`
`1.00066198 BTC
`
`16.000609 ETH
`
`0.30000449 BTC
`
`0.75778501 BTC
`
`0.299391 ETH
`
`Ledger
`
`Ledger
`
`Ledger
`
`Ledger
`
`Ledger
`
`Ledger
`
`Ledger
`
`$197,909.42
`
`$154,232.27
`
`$36,759.30
`
`$38,408.86
`
`$11,020.66
`
`$27,837.22
`
`$716.43
`
`
`is calculated using market data compiled by
`funds/assets
`the stolen
`5 Valuation of
`www.CoinMarketCap.com, which takes the volume weighted average of all prices reported at several
`dozen cryptocurrency markets serving investors in the United States and abroad.
`
`TOTAL
`
`$466,884.16
`
`- 12 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 14 of 90
`
`
`
`67.
`The theft from Plaintiff would not have occurred but for MINT’s unauthorized transfer
`of control over Plaintiff’s MINT account, MINTs failure to maintain proper security measures to
`prevent the unauthorized SIM port that took place, and MINT’s denial of service to Plaintiff during the
`critical timeframe in which Plaintiff was unable to monitor the unauthorized person’s efforts to steal
`Plaintiff’s assets by using, inter alia, Plaintiff’s own cellphone number.
`67.68. Upon information and belief, MINT possesses documentation in its corporate records
`that demonstrate not only the inadequacy of its security systems but also the intentional decisions at
`MINT to bypass required security and privacy measures that led to the unauthorized release of
`Plaintiff’s personal information and which precipitated the unauthorized SIM port. Any effort by
`MINT to withhold or conceal those documents further exacerbates the harm MINT has caused Plaintiff.
`MINT’S STATUTORY OBLIGATION TO PROTECT CUSTOMERS’ PERSONAL INFORMATION
`68.69. As a common carrier, MINT is obligated to protect the confidential personal information
`of its customers under Section 222 of the FCA [47 U.S.C. § 222].
`69.70. Section 222(a) [47 U.S.C. § 222(a)] provides that “[e]very telecommunications carrier
`has a duty to protect the confidentiality of proprietary information of and relating to ... customers ....”
`The “confidential proprietary information” referred to in Section 222(a) is abbreviated herein as “CPI.”.
`70.71. Section 222(c) [47 U.S.C. § 222(c)] additionally provides that:
`
`[e]xcept as required by law or with the approval of the customer, a
`telecommunications carrier that receives or obtains customer proprietary
`network information by virtue of its provision of a telecommunications
`service shall only use, disclose, or permit access to individually
`identifiable customer proprietary network information in its provision of
`(A) the telecommunications service from which such information is
`derived, or (B) services necessary to, or used in, the provision of such
`telecommunications service, including the publishing of directories.
`The “customer proprietary network information” referred to in Section 222(c) is abbreviated herein as
`“CPNI.”
`71.72. Section 222(h)(1) [47 U.S.C. § 222(h)(1)] defines CPNI as: “(A) information that relates
`to the quantity, technical configuration, type, destination, location, and amount of use of a
`telecommunications service subscribed to by any customer of a telecommunications carrier, and that is
`made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 13 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 15 of 90
`
`
`
`(B) information contained in the bills pertaining to telephone exchange service or telephone toll service
`received by a customer of a carrier, except that term does not include subscriber list information.”
`72.73. The FCC has promulgated rules to implement Section 222 “to ensure that
`telecommunications carriers establish effective safeguards to protect against unauthorized use or
`disclosure of CPNI.” See, 47 CFR § 64.2001 et seq. (“CPNI Rules”); CPNI Order, 13 FCC Rcd. at
`8195 ¶ 193. The CPNI Rules limit disclosure and use of CPNI without customer approval to certain
`limited circumstances (such as cooperation with law enforcement), none of which are applicable to the
`facts here. 47 CFR § 64.2005.
`73.74. The CPNI Rules require carriers to implement safeguards to protect customers’ CPNI.
`These safeguards include: (i) training personnel “as to when they are and are not authorized to use
`CPNI”; (ii) establishing “a supervisory review process regarding carrier compliance with the rules”;
`and (iii) filing annual compliance certificates with the FCC. 47 CFR § 64.2009(b), (d), and (e).
`74.75. The CPNI Rules further require carriers to implement measures to prevent the disclosure
`of CPNI to unauthorized individuals. 47 CFR § 64.2010. For example, “carriers must take reasonable
`measures to discover and protect against attempts to gain unauthorized access to CPNI.” 47 CFR §
`64.2010(a). Moreover, “carriers must properly authenticate a customer prior to disclosing CPNI based
`on customer-initiated telephone contact, online account access, or an in-store visit.” Id. In the case of
`in-store access to CPNI, “[a] telecommunications carrier may disclose CPNI to a customer who, at a
`carrier’s retail location, first presents to the telecommunications carrier or its agent a valid photo ID
`matching the customer’s account information.” 47 CFR § 64.2010(d) (emphasis added). “Valid photo
`ID” is defined in 47 CFR § 64.2003(r) as “a government-issued means of personal identification with
`a photograph such as a driver’s license, passport, or comparable ID that is not expired.”
`75.76. More than a decade ago, the FCC was already aware that there was “a substantial need
`to limit the sharing of CPNI with others” because the “black market for CPNI has grown exponentially
`with an increased market value placed on obtaining this data, and there is concrete evidence that the
`dissemination of this private information does inflict specific and significant harm on individuals,
`including harassment and the use of the data to assume a customer’s identity.” See, In the Matter of
`Implementation of the Telecommunications Acts of 1996: Telecommunications Carriers’ Use of
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`- 14 -
`FIRST AMENDED COMPLAINT
`
`Case No. 3:22-cv-00138-WHA
`
`
`
`Case 3:22-cv-00138-WHA Document 42-2 Filed 05/13/22 Page 16 of 90
`
`
`
`Customer Proprietary Network Information and Other Customer Information, 22 FCC Rcd. 6927
`(2007) (“Pretexting Order”), at Pg. 22 ¶39.
`76.77. The FCC refers to obtaining CPNI from customers through common social engineering
`ploys as “pretexting.” Pretexting is “the practice of pretending to be a particular customer or other
`authorized person in order to obtain access to that customer’s call detail or other private
`communications records.” Id., at 6927 n. 1. Such “call detail” and “private communications” are CPI