`
`UNITED STATES DISTRICT COURT
`FOR THE SOUTHERN DISTRICT OF FLORIDA
`FORT LAUDERDALE DIVISION
`
`
`
`
`
`
`
`
`
`
`
`DEMAND FOR JURY TRIAL
`
`
`KEVIN FRYE
`
`Plaintiff
`
`v.
`
`T-MOBILE USA, INC.
`
`Defendant
`
`________________________________/
`
`
`VERIFIED COMPLAINT
`
`
`
`COMES NOW the Plaintiffs, Kevin Frye, through undersigned counsel, (herein referred
`
`to as “Plaintiff” or “Frye”) and states in support as follows:
`
`NATURE OF THE ACTION
`
` This is an action for COUNT I: VIOLATION OF THE FEDERAL
`
`COMMUNICATIONS ACT, COUNT II: NEGLIGENCE, COUNT III: GROSS
`
`NEGLIGENCE, COUNT IV: NEGLIGENT HIRING, RETENTION AND
`
`SUPERVISION, COUNT V: VIOLATIONS OF THE COMPUTER FRAUD AND
`
`ABUSE ACT.
`
`INTRODUCTION
`
`1.
`
`This action arises out of T-Mobile USA, Inc.’s (hereinafter “T-Mobile”) systemic and
`
`repeated failures to protect and safeguard its customers’ highly sensitive personal and
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 2 of 30
`
`financial information against common, widely reported, and foreseeable attempts to illegally
`
`obtain such information.
`
`2.
`
`As a result of T-Mobile’s misconduct as alleged herein, including their gross
`
`negligence in protecting customer information, its negligent hiring and supervision of
`
`customer support personnel and its violations of federal and state laws designed to protect
`
`wireless service consumers, Plaintiff lost 1.91130741 bitcoin (“BTC”), with a current
`
`estimated value in excess of $87,000 due to an account takeover scheme (also known as a
`
`“SIM-swap”) which could not have occurred but for Defendant’s intentional actions and
`
`negligent practices, as well as their repeated failure to adhere to federal and state laws.
`
`PARTIES
`
`3.
`
`4.
`
`Plaintiff Kevin Frye is a resident of Broward, County, Florida.
`
`Defendant is a Delaware corporation with a principal place of business in the
`
`State of Washington.
`
`JURISDICTION AND VENUE
`
`5.
`
`This Court has jurisdiction of Plaintiff’s claims pursuant to 28 U.S.C. §§1331, as this
`
`case arises under federal statutes, such as the Federal Communications Act (“FCA”) at 47
`
`U.S.C. §222, the Stored Communications Act (“SCA”) at 18 U.S.C. §2701, and the
`
`Computer Fraud and Abuse Act (“CFAA”) at 18 U.S.C. §1030.
`
`6.
`
`Furthermore, the Court has jurisdiction under 28 U.S.C. §1332 in that the
`
`amount in controversy exceeds $75,000.00, inclusive of attorney fees, costs, and
`
`statutory interest, and Plaintiff and Defendant are citizens of different states.
`
`2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 3 of 30
`
`7.
`
`Venue is proper in this court as the events relevant to this action occurred in
`
`the County of Broward, which is located in the United States District Court for the
`
`Southern District of Florida.
`
`8.
`
`Pursuant to the Court’s supplemental jurisdiction under 28 U.S.C. §1367, it
`
`may entertain the state law claims as they are derived from a common nucleus of
`
`operative facts.
`
`9.
`
`The Defendant has established minimum contacts within Florida subjecting
`
`them to jurisdiction herein.
`
`10.
`
`Plaintiff Frye entered into a contract with Metro by T-Mobile (hereinafter
`
`“T-Mobile”) in approximately 2013.1
`
`11. Defendant T-Mobile provided their services in Broward County, Florida and
`
`Plaintiff Frye utilized cell towers operated by the Defendant in Broward County,
`
`Florida.
`
`12. T-Mobile, by operating, conducting, engaging in, or carrying on a business
`
`venture in the State of Florida, T-Mobile availed itself to the personal jurisdiction in
`
`the State of Florida, pursuant to section 48.193(1)(a), Florida Statutes.
`
`13. T-Mobile availed itself to the personal jurisdiction of the State of Florida by
`
`soliciting business within the State, pursuant to section 48.193(1)(f)(1), Florida
`
`Statutes.
`
`
`1 In 2012, T-Mobile merged with and acquired Metro.
`
`
`
`
`
`
`
`
`
`
`
`
`
`3
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 4 of 30
`
`14. T-Mobile availed itself to personal jurisdiction in the State of Florida by
`
`engaging in substantial business activity within the state, pursuant to Section
`
`48.193(2), Florida Statutes.
`
`15. T-Mobile’s actual interactions establish a physical presence within the State
`
`of Florida. The commercial quality and interaction with businesses and individuals
`
`within the State of Florida establish a “plus” factor to establish sufficient minimum
`
`contacts. Cf. Roblor Mktg. Group, Inc. v. Gps Indus., Inc., 645 F. Supp. 2d 1130
`
`(S.D. Fla. 2009).
`
`16. The plaintiff’s claims all arise out of or relate to the defendant's contacts with
`
`the forum thus satisfying the Fourteenth Amendment's Due Process Clause.
`
`17. All conditions precedent to this action have been met through performance,
`
`or otherwise.
`
`18.
`
` Plaintiff has retained the undersigned law firm to represent it in this action
`
`and is obligated to pay the firm a reasonable fee for its services.
`
`GENERAL BACKGROUND
`
`19. T-Mobile markets and sells wireless cellular phone service through
`
`standardized wireless service plans via various retail locations, online sales, and
`
`over the telephone.
`
`20. T-Mobile has approximately 1,015 stores in Florida and approximately 119
`
`stores in South Florida, including Fort Lauderdale.
`
`21. The Defendant has a substantial advertising budget in Florida where it
`
`4
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 5 of 30
`
`estimated they spend millions annually marketing their services to residents of South
`
`Florida.
`
`22. T-Mobile maintains accounts for its wireless customers, enabling them to
`
`access information about the services they purchase from T-Mobile.
`
`23.
`
`It is widely recognized and has been widely publicized that mishandling of
`
`customer wireless accounts, including, but not limited to, allowing unauthorized
`
`access, can facilitate identity theft and related consumer harm.
`
`24. Numerous instances of mishandling of customer account information have
`
`occurred at T-Mobile.
`
`25. As one of the nation’s largest wireless carriers, T-Mobile’s operations must
`
`comply with various federal and state statutes, including (but not limited to) the
`
`Federal Communications Act ("FCA") 47 U.S.C. §222.
`
`26. The FCA obligates T-Mobile to protect the “confidential proprietary
`
`information of [its] customers” and “customer proprietary network information”
`
`(commonly referred to as “CPI” and “CPNI”, respectively). See 47 U.S.C. §222(a),
`
`(c).
`
`27. The Federal Communications Commission (“FCC”) has promulgated rules
`
`to implement Section 222 of the FCA “to ensure that telecommunications carriers
`
`establish effective safeguards to protect against unauthorized use or disclosure of
`
`CPNI.” 1998 CPNI Order, 13 FCC Rcd. at 8195 ¶193; see also 47 C.F.R. §64.2001
`
`et seq. (“CPNI Rules”).
`
`5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 6 of 30
`
`28. The CPNI Rules limit disclosure and use of CPNI without customer approval
`
`to certain limited circumstances (such as cooperation with law enforcement), none
`
`of which are applicable to the facts here. See 47 C.F.R. §64.2005.
`
`29. The CPNI Rules also require carriers to implement safeguards to protect
`
`customers’ CPNI. See 47 C.F.R. §64.2009(b), (d), and (e).
`
`30. These safeguards include: (a) training personnel “as to when they are and are
`
`not authorized to use CPNI”; (b) establishing “a supervisory review process
`
`regarding carrier compliance with the rules”; and (c) filing annual compliance
`
`certificates with the FCC. Id.
`
`31. The CPNI Rules further require carriers to implement measures to prevent
`
`the disclosure of CPNI to unauthorized individuals. For example, “carriers must take
`
`reasonable measures to discover and protect against attempts to gain unauthorized
`
`access to CPNI.” See 47 C.F.R. §64.2010(a).
`
`32. T-Mobile regularly holds itself out to the general public as a secure and
`
`reliable custodian of customer data, including customer’s confidential financial and
`
`personal information.
`
`33. T-Mobile maintains that it uses a variety of “administrative, technical,
`
`contractual, and physical safeguards” to protect customers’ data “against security
`
`incidents, and illegal, fraudulent, or unauthorized activities; investigate suspicious
`
`traffic, cybersecurity threats or vulnerabilities, complaints, and claims; authenticate
`
`6
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 7 of 30
`
`your credentials for account access and information and provide other security
`
`protections, as of August 9, 2021, See https://www.t-mobile.com/privacy-
`
`center/our-practices/privacy-policy.
`
`34. As an example, T-Mobile explicitly states that “when you contact us by
`
`phone or visit us in our stores, we have procedures in place to make sure that only
`
`the primary account holder or authorized users have access.”
`
`35. Upon information and belief, T-Mobile’s sales and marketing materials make
`
`similar representations regarding T-Mobile’s alleged implementation of various
`
`safeguards to protect its customers’ private information (as required by statutes).
`
`36. T-Mobile’s deceptive statements are designed to cover up for the fact that it
`
`is aware that their security procedures can and do fall short of their expressed and
`
`implied representations and promises, as well as their statutory duties.
`
`37.
`
`Such failures, which lead to unauthorized access of customers’ information,
`
`were entirely foreseeable by T-Mobile.
`
`SIM CARD SWITCH
`
`38. As T-Mobile is aware, various forms of account takeover fraud have been
`
`widely reported in the press, by government regulators (including the Federal Trade
`
`Commission (“FTC”) and the FCC), academic publications, and multiple lawsuits
`
`across the country.
`
`39. These illegal schemes involve criminals and fraudsters gaining access to or
`
`7
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 8 of 30
`
`“hijacking” customer wireless accounts, which often include sensitive personal and
`
`financial information, to induce third parties to conduct transactions with individuals
`
`they believe to be legitimate or known to them.
`
`40.
`
`Sometimes these schemes are perpetrated by employees of the wireless
`
`carriers, such as T-Mobile.
`
`41. One of the most damaging and pervasive forms of account takeover fraud is
`
`known as a “SIM-Swap”, whereby a third-party (with the help of a wireless carrier
`
`like T-Mobile) is allowed to transfer access to a customer’s cellular phone number
`
`from the customer’s registered “subscriber identity module” card (or “SIM card”) –
`
`to a SIM card controlled by the third party.
`
`42. A SIM Card has a complete record of a user’s cell phone history, inclusive
`
`of text messages, calls, and any Apps which a user has downloaded.
`
`43. A SIM swap is when a hacker convinces a carrier to switch a phone number
`
`over to a SIM card they own. Once a hacker has access to the phone number then
`
`they control the text-based two-factor authentication checks specifically designed to
`
`add a layer of protection to sensitive accounts such as bank accounts, social media
`
`accounts, and email accounts.
`
`44. The wireless carrier, however, must effectuate the SIM card reassignment
`
`and, therefore, “SIM-swapping” is not an isolated criminal act, as it requires the
`
`wireless carrier’s active involvement to swap the SIM containing information
`
`regarding its customer to an unauthorized person’s phone.
`
`8
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 9 of 30
`
`45.
`
`Indeed, unlike a direct hack of data, whereby a company like T-Mobile plays
`
`a more passive role, SIM-swaps are ultimately effectuated by the wireless carrier
`
`itself. For instance, in this case, it is T-Mobile that approved and allowed the SIM
`
`card change (without Plaintiff’s authorization), as well as all of the subsequent
`
`telecommunication activity that was used to access Plaintiff’s online accounts and
`
`cause the injuries suffered by Plaintiff.
`
`46. As such, by directly or indirectly exceeding the authorized access to
`
`customer accounts, wireless carriers such as T-Mobile may be liable under state and
`
`federal statutes, such as the Federal Communications Act (“FCA”).
`
`47. Once a third-party has access to the legitimate user’s SIM card data, it can
`
`then seamlessly
`
`impersonate
`
`that
`
`legitimate wireless customer (e.g.,
`
`in
`
`communicating with others or contacting various vendors).
`
`48. A common target of SIM-swapping and account takeover fraud are
`
`individuals known, or expected, to hold cryptocurrency, because account
`
`information is often contained on users’ cellular phones, allowing criminals to
`
`transfer the legitimate user’s cryptocurrency to an account the third-party controls.
`
`49. The Federal Communications investigated T-Mobile and on February 28,
`
`2020 released a report which read as follows:
`
`The American public and federal law consider such information highly personal and
`sensitive—and justifiably so. As the Supreme Court has observed, location data
`associated with wireless service “provides an intimate window into a person’s life,
`revealing not only his particular movements, but through them his familial, political,
`
`
`
`
`
`
`
`
`
`
`
`
`
`9
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 10 of 30
`
`professional, religious, and sexual associations.”4 Section 222 of the Communications
`Act requires carriers to protect the confidentiality of certain customer data related to the
`provision of telecommunications service, including location information. The
`Commission has advised carriers that this duty requires them to take “every reasonable
`precaution” to safeguard their customers’ information. The Commission has also
`warned carriers that the FCC would “[take] resolute enforcement action to ensure that
`the goals of section 222 are achieved.
`
`
`Today, we do exactly that. In this Notice of Apparent Liability, we propose a penalty of
`$91,630,000 against T-Mobile USA, Inc. (T-Mobile or Company) for apparently violating
`section 222 of the Communications Act and the Commission’s regulations governing the
`privacy of customer information. We find that T-Mobile apparently disclosed its
`customers’ location information, without their consent, to third parties who were not
`authorized to receive it. In addition, even after highly publicized incidents put the
`Company on notice that its safeguards for protecting customer location information were
`inadequate, T-Mobile apparently continued to sell access to its customers’ location
`information for the better part of a year without putting in place reasonable
`safeguards—leaving its customers’ data at unreasonable risk of unauthorized
`disclosure.2
`
`
`50. The prevalence of SIM-swap fraud and T-Mobile’s knowledge of such fraud,
`
`including, but not limited to, that performed with the active participation of its own
`
`employees, demonstrate that what happened with Plaintiff’s account was neither an
`
`isolated incident nor an unforeseeable event.
`
`51. As a regulated wireless carrier, T-Mobile has a well-established duty – one
`
`which it freely acknowledges on its corporate website – to protect the security and
`
`privacy of CPI and CPNI from unauthorized access and T-Mobile is obligated to
`
`certify its compliance with this mandate to the FCC every year.3
`
`
`2 In the Matter of T-Mobile USA, Inc., File No. EB-TCD-18-00027702 (February 28, 2020), page 1786.
`3 See, e.g., https://www.t-mobile.com/privacy-center/education-and-resources/cpni.
`
`
`
`
`
`
`
`
`
`
`
`
`
`10
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 11 of 30
`
`52. The prevalence of SIM-swap fraud and T-Mobile’s knowledge of such fraud,
`
`including, but not limited to, that performed with the active participation of its own
`
`employees, demonstrate that what happened with Plaintiff’s account was neither an
`
`isolated incident nor an unforeseeable event.
`
`53. As a regulated wireless carrier, T-Mobile has a well-established duty – one
`
`which it freely acknowledges on its corporate website – to protect the security and
`
`privacy of CPI and CPNI from unauthorized access and T-Mobile is obligated to
`
`certify its compliance with this mandate to the FCC every year.
`
`54. The FCA expressly restricts carriers like T-Mobile from unauthorized
`
`disclosure of CPNI.
`
`55.
`
`In light of the above, at the time of the events at issue in the present case, T-
`
`Mobile was keenly aware of its obligations, as well as multiple weaknesses in its
`
`internal processes and procedures to authenticate legitimate customers.
`
`56. The failure of T-Mobile to have proper safeguards and security measures as
`
`recommended by the FCC resulted in damages to Plaintiff in an amount to be
`
`determined at trial.
`
`FACTUAL ALLEGATIONS
`
`57.
`
`Plaintiff Frye has been a T-Mobile customer since approximately 2013 and
`
`has had the phone number 954-290-7877.
`
`58.
`
`Plaintiff was using his phone on or about July 6, 2021 when suddenly he had
`
`no service. This was not uncommon however and the Defendant thought coverage
`
`11
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 12 of 30
`
`was out due to the discussion of an impending storm.
`
`59. When Frye attempted to make a call he received a message that he needed to
`
`register his device.
`
`60. On or about July 7, 2021, Plaintiff Frye visited the T-Mobile store at 9180
`
`W State Rd 84, Davie, FL 33324. A T-Mobile representative informed Frye that he
`
`had just purchased a new phone that his number had been ported over to that device.
`
`61.
`
`Frye was told by a representative that numbers get ported over by accident
`
`all the time.
`
`62. A T-Mobile Representative then ported the number back to his phone. No
`
`identification or password/security pin was required in order to port Frye’s number
`
`back to his phone.
`
`63.
`
`Subsequently, Frye had to reset his password by literally telling a
`
`representative over the phone his new password, there was never an option to
`
`discreetly enter his own password, which allowed representatives from T-Mobile to
`
`access the account and/or change the password at any time.
`
`64. While in the local T-Mobile Store in Davie, Florida, a T-Mobile
`
`Representative informed Frye that hackers wouldn’t have been able to get access to
`
`his apps. However, representatives failed to caution Frye to check his email account
`
`and change his passwords.
`
`65. Upon information and belief, it was via email that hackers were able to access
`
`and gain control of Frye’s passwords, including but not limited to, his Coinbase
`
`12
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 13 of 30
`
`Account.
`
`66. After regaining use of his phone, Plaintiff logged into his Coinbase Account
`
`and his Wells Fargo Account only to see everything appeared normal, his account
`
`balances were the same as before.
`
`67. T-Mobile personnel should have been trained properly in order to inform
`
`Frye to immediately freeze all his accounts and change all his passwords.
`
`68.
`
`Subsequently, on or about July 12, 2021, Frye received a message from Well
`
`Fargo that his account was about to be overdrawn. Upon logging into his Wells Fargo
`
`account, he discovered that he had been hacked.
`
`69. The hackers effected ACH Transfers from his Wells Fargo Account to his
`
`Coinbase Account in the amount of $1,000.00 and $536.00 on July 9, 2021.
`
`70. The hackers continued making smaller transfers until July 13, 2021 when
`
`they attempted transfers of $15,000.00 and $34,400.00, which triggered the
`
`notification from Wells Fargo that his account was to be overdrawn.
`
`71. Had the hackers not attempted to overdraw the Wells Fargo Account, which
`
`triggered a warning message, then Plaintiff would also have lost all the money in his
`
`Wells Fargo Account.
`
`72.
`
`Subsequently, Frye attempted to login to his Coinbase Account, which is
`
`when he discovered that he couldn’t log in. The hackers had changed his password
`
`and withdrawn 1.91130741 Bitcoin, worth a current estimated value of $87,000.00,
`
`based upon the market valuation at the time this complaint was written.
`
`13
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 14 of 30
`
`73. On August 2, 2021, T-Mobile sent Frye a letter acknowledging that there
`
`were two independent security breaches (See attached Exhibit “A”).
`
`74. According to T-Mobile, the first security breach occurred at 6:27:22 PM CST
`
`and lasted until 6:38:08 PM CST.
`
`75. According to T-Mobile, the second security breach occurred the following
`
`day on July 7, 2021 at 6:31:25 PM CST and lasted until 6:45:14 PM CST.
`
`76.
`
` During the breach, the hackers were able to disable Coinbase’s notification
`
`system, thus enabling them to make numerous undetected transfers from Frye’s
`
`Account. The hackers placed filters which sent all the email notifications from
`
`Coinbase directly to Frye’s Spam email account.
`
`LACK OF SECURITY PROTOCOLS
`
`77. T-Mobile has been on notice for years that their security measures were not
`
`adequate. Despite this, sufficient security measures were not in place to prevent this
`
`SIM Card swap and the corresponding theft.
`
`78. A SIM swapping attack is otherwise known as SIM splitting, SIMjacking,
`
`SIM hijacking, and port-out scamming. It’s a scam that happens when fraudsters use
`
`the weakness of two-factor authentication and verification which involves the
`
`second step of the process receiving a text message or phone call to your cellphone
`
`number.
`
`79. Despite this knowledge of inherent security flaws, T-Mobile and its Officers
`
`and directors acted with a conscious and reckless disregard of the security of
`
`14
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 15 of 30
`
`customers, failing to ratify and implement policies that would protect its customers’
`
`accounts.
`
`80. A valid driver’s license and a valid pin/security code should have been
`
`required in order to port a number to a new phone.
`
`81.
`
`Security measures should have been in place which required the original SIM
`
`to be present in order for that information to be placed onto a new device.
`
`82. The fact that Frye’s number was ported over without the original Sim device
`
`being present and without a valid ID corroborating Frye’s identity point to either
`
`completely substandard security procedures or this being an inside job by a T-Mobile
`
`Representative.
`
`83. T-Mobile should require SIM Card swaps to be done in person via their
`
`extensive network of stores.
`
`84. After the SIM Card Swap took place, T-Mobile Representatives should have
`
`advised Smith to check any brokerage accounts, bank accounts, crypto accounts, and
`
`immediately freeze/stop payments on all activity associated with those accounts.
`
`85. T-Mobile Representatives were either complicit with the theft or grossly
`
`negligent.
`
`86. T-Mobiles’ officers and directors exhibited a conscious and reckless
`
`disregard for the security of its customers by failing to implement sufficient security
`
`protocols.
`
`87.
`
`Frye has filed a police report with Broward Sherriff’s Office as well as with
`
`15
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 16 of 30
`
`the FBI.
`
`CAUSES OF ACTION
`
`COUNT I: VIOLATION OF THE FEDERAL COMMUNICATION ACT
`
`88.
`
`Plaintiff incorporates by reference all facts and allegations of paragraphs 1-
`
`87 of this Complaint, as if the same were fully set forth herein.
`
`89. The FCA regulates interstate telecommunications carriers, including T-
`
`Mobile.
`
`90. T-Mobile is a “common carrier” or a “telecommunications carrier” engaged
`
`in interstate commerce by wire for the purpose of furnishing communication services
`
`within the meaning of Section 201(a) of the FCA. See 47 U.S.C. §201(a).
`
`91. As a “common carrier”, T-Mobile is subject to the substantive requirements
`
`of Sections 201 through 222 of the FCA. See 47 U.S.C. §§201-222.
`
`92. Under Section 201(b) of the FCA, common carriers may implement only
`
`those practices, classifications, and regulations that are “just and reasonable” and
`
`practices that are “unjust or unreasonable” are unlawful.
`
`93.
`
`Section 206 of the FCA, entitled “Carriers’ liability for damages” provides:
`
`In case any common carrier shall do, or cause or permit to be done, any act,
`matter, or thing in this chapter prohibited or declared to be unlawful, or shall
`omit to do any act, matter, or thing in this chapter required to be done, such
`common carrier shall be liable to the person or persons injured thereby for the
`full amount of damages sustained in consequence of any such violation of the
`provisions of this chapter, together with a reasonable counsel or attorney’s fee,
`to be fixed by the court in every case of recovery, which attorney’s fee shall be
`taxed and collected as part of the costs in the case.
`
`16
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 17 of 30
`
`94.
`Section 207 of the FCA, entitled “Recovery of damages”
`further provides:
`
`
`Any person claiming to be damaged by any common carrier
`subject to the provisions of this chapter may either make
`complaint to the [FCC] as hereinafter provided for, or may bring
`suit for the recovery of the damages for which such common
`carrier may be liable under the provisions of this chapter, in any
`district court of the United States of competent jurisdiction; but
`such person shall not have the right to pursue both remedies.
`
`95. Additionally, Section 222(c) of the FCA explicitly requires that
`
`telecommunications carriers protect its customers’ CPNI. See 47 U.S.C. §222(c).
`
`96. According to the CPNI Rules:
`
`
`Safeguarding CPNI. Telecommunications carriers must take reasonable
`measures to discover and protect against attempts to gain unauthorized
`access to CPNI. Telecommunications carriers must properly authenticate
`a customer prior to disclosing CPNI based on customer-initiated contact,
`online account access, or an in-store visit.
`
`…
`
`
`In-store access to CPNI. A telecommunications carrier may disclose
`CPNI to a customer who, at a carrier’s retail location, first presents to the
`telecommunications carrier or its agent a valid photo ID matching the
`customer’s account information.
`
`
`T-Mobile violated its duties under Section 222 of the FCA by failing to
`
`protect Plaintiff’s CPI and CPNI by using, disclosing, or permitting access to
`
`Plaintiff’s CPI and CPNI without the consent, notice, and/or legal
`
`authorization of Plaintiff as required by the FCA, in that upon information
`
`and belief:
`
`a. during an in-store visit, or over the phone, Plaintiff’s CPI
`
`17
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 18 of 30
`
`and CPNI were disclosed to someone other than Plaintiff
`
`by an agent of Defendant;
`
`b. during an in-store visit, or over the phone,, Plaintiff’s CPI
`
`and CPNI were disclosed to someone, who was not
`
`properly authenticated by Defendant; during an in-store
`
`visit, or over the phone, Plaintiff’s CPI and CPNI were
`
`disclosed to someone, who did not first present a valid
`
`photo ID to Defendant.
`
`97. As alleged herein, T-Mobile failed to protect the confidentiality of Plaintiff’s
`
`CPI and CPNI when it disclosed Plaintiff’s CPNI and CPI to third-parties without
`
`Plaintiff’s authorization or permission.
`
`98. T-Mobile’s conduct, as alleged herein, constitute knowing violations of the
`
`FCA, including sections 201(b) and 222, as well as the CPNI Rules.
`
`99. T-Mobile is also liable for the acts, omissions, and/or failures, as alleged
`
`herein, or its officers, employees, agents, or any other persons acting for or on behalf
`
`of T-Mobile.
`
`100. T-Mobile’s violation of
`
`the FCA allowed unauthorized parties
`
`to
`
`impersonate Plaintiff in transactions with others.
`
`101. T-Mobile violated the FCA, including Section 222, by allowing an
`
`unauthorized party to access Plaintiff’s CPI and CPNI, resulting in, inter alia,
`
`Plaintiff’s loss of his possessions, including 1.91130741 Bitcoin.
`
`18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 19 of 30
`
`102. As a direct consequence of T-Mobile’s violations of the FCA, Plaintiff has
`
`been damaged through the loss of his property, namely 1.91130741 Bitcoin.
`
`103. Had T-Mobile not allowed the unauthorized access to Plaintiff’s account,
`
`Plaintiff would not have suffered this loss.
`
`104. T-Mobile, by its inadequate procedures, practices, and regulations, engages
`
`in practices which, when taken together:
`
`a. fail to provide reasonable, appropriate, and sufficient security to
`
`prevent unauthorized access to its customers’ wireless accounts;
`
`b. allow unauthorized persons to be authenticated; and
`
`c. grant access to sensitive customer account information.
`
`105.
`
`In particular, T-Mobile failed to establish and implement reasonable policies,
`
`procedures and safeguards governing the creation, access, and authentication of user
`
`credentials to access customers’ accounts, creating an unreasonable risk of
`
`unauthorized access.
`
`106. As such, in violation of the FCA, T-Mobile has failed to ensure that only
`
`authorized persons have access to customer account data and that customers’ CPI
`
`and CPNI are secure.
`
`107. Among other things, T-Mobile:
`
`a. failed to establish and enforce rules and procedures sufficient to
`
`ensure only authorized persons have access to T-Mobile customer
`
`accounts, including that of Plaintiff;
`
`19
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 20 of 30
`
`b. failed to establish appropriate rules, policies and procedures for the
`
`supervision and control of its officers, agents and employees;
`
`c. failed to establish and enforce rules and procedures, or provide
`
`adequate supervision or training sufficient to ensure that its
`
`employees and agents follow such rules and procedures, to restrict
`
`access by unauthorized persons;
`
`d. failed to establish and enforce rules and procedures to ensure T-
`
`Mobile’s employees and agents adhere to the security instructions of
`
`customers with regard to accessing customers’ accounts, including
`
`that of Plaintiff;
`
`e. failed to adequately safeguard and protect its customers’ wireless accounts;
`
`f. permitted the sharing of and access to user credentials among T-
`
`Mobile’s agents or employees without a pending request from the
`
`customer, reducing the likely detection of and accountability for
`
`unauthorized access;
`
`g. failed to appropriate supervise employees and agents, who granted
`
`unauthorized access to customers’ accounts, including that of
`
`Plaintiff;
`
`h. failed to adequately train and supervise its employees, officers and
`
`agents to prevent the unauthorized access to customer accounts;
`
`i.
`
`failed to prevent the ability of employees, officers and agents to
`
`20
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 0:21-cv-61653-KMM Document 1 Entered on FLSD Docket 08/10/2021 Page 21 of 30
`
`access and make changes to customer accounts without specific
`
`customer authorization;
`
`j. allowed “porting out” of cell phone numbers without properly
`
`confirming that the request was coming from legitimate customers;
`
`lacked proper monitoring and, therefore, failed to monitor
`
`its systems for the presence of unauthorized access in a
`
`manner that would allow T-Mobile to detect intrusions,
`
`breaches of security, and unauthorized access to customer
`
`information;
`
`c. failed to implement and maintain readily available best
`
`practices to safeguard customer information (and indeed,
`
`seemed to suggest such practices were only available to
`
`those customers who “paid for” the privilege of having
`
`their information secured);
`
`d. failed to timely diagnose and determine the cause of
`
`Plaintiff’s service interruption;
`
`e. failed to timely notify Plaintiff of the cause of Plaintiff’s
`
`service interruption; and
`
`f. failed to implement and mai