throbber
Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 1 of 25 PageID #: 1
`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT FOR THE
`EASTERN DISTRICT OF NEW YORK
`
`
`
`
`
`COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`Reginald Middleton,
`
`and
`
`Veritaseum, LLC,
`
` Plaintiffs,
`
` v.
`
`T-Mobile US, Inc.,
`
` Defendant.
`
`Plaintiffs Reginald Middleton and Veritaseum LLC (collectively, “Plaintiffs” and
`
`individually “Mr. Middleton” and “Veritaseum”), by and through their counsel, complain
`
`and allege as follows against T-Mobile US, Inc. (“Defendant” or “T-Mobile”):
`
`NATURE OF THE CASE
`
`1.
`
`This action arises out of T-Mobile’s failure to protect its customers’ highly
`
`sensitive personal and financial information. As a result of T-Mobile’s gross negligence
`
`in protecting Plaintiffs’ information, its negligent hiring and supervision of T-Mobile
`
`employees who were responsible for safeguarding that information, and its violation of
`
`laws that expressly protect the information of wireless carrier customers, Plaintiffs lost
`
`$8.7 million in cryptocurrency and Mr. Middleton suffered and continues to suffer severe
`
`anxiety, fear and emotional distress relating to the repeated instances of identity theft that
`
`
`
`1
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 2 of 25 PageID #: 2
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`he experienced as a result of T-Mobile’s inadequate protection of his personal and
`
`financial information.
`
`2.
`
`T-Mobile is one of the three largest wireless carriers in the United States.
`
`As a leading wireless carrier, T-Mobile holds itself out, and is required by law to be
`
`equipped to protect the personal and financial information of its customers. Consistent
`
`with its duty to protect such information, T-Mobile promises its customers that it uses a
`
`variety of administrative, technical, and physical security measures designed to protect its
`
`customers’ personal data—and particularly their data-rich SIM cards— against
`
`accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or
`
`use while it is under their control.
`
`3.
`
`As T-Mobile is aware, and has been widely reported in the press and by
`
`the government regulators, including the Federal Trade Commission (“FTC”) and Federal
`
`Communications Commission (“FCC”), fraudsters have been increasingly using schemes
`
`to access customer personal and financial information by causing unauthorized changes
`
`in customers’ wireless accounts. The purpose of these schemes is to compromise
`
`customers’ mobile identities, access confidential data, take over their financial accounts,
`
`and effectuate fraudulent transactions.
`
`4.
`
`One of the most damaging and pervasive schemes is fraudulent SIM card
`
`swapping. In SIM card swapping schemes, a hacker convinces a mobile phone carrier to
`
`transfer access of a targeted person’s phone number from her registered SIM card — the
`
`small portable chip that houses identification information connecting an account to the
`
`cell network — to the hacker’s SIM card. Once the hacker has access to this information,
`
`
`
`2
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 3 of 25 PageID #: 3
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`the hacker takes over the user’s cell phone. Often, the hacker targets individuals who are
`
`known, or expected, to hold large quantities of cryptocurrency. If the target has
`
`cryptocurrency account information on his or her phone, the hacker can transfer that
`
`cryptocurrency to his or her own accounts.
`
`5.
`
`In 2016, the FTC’s Chief Technologist described these issues in a widely
`
`read post about her experience as a victim of an identity theft scheme and specifically
`
`called attention to the insidious “SIM swapping” scheme in which thieves use a victim’s
`
`hijacked phone number to gain access to financial accounts that use two-factor
`
`authentication through text messages. See “Your mobile phone account could be hijacked
`
`by an identity thief,” Lorrie Cranor, FTC Chief Technologist (Jun 7, 2016).
`
`https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-
`
`could-be-hijacked-identity-thief. T-Mobile was undoubtedly aware of this scheme and
`
`represented to its customers that they were protected against this type of identity theft
`
`scheme.
`
`6.
`
`Nevertheless, in 2017, hackers began a campaign to victimize Reginald
`
`Middleton, a well-known holder of cryptocurrency and founder and sole owner of
`
`Veritaseum, a cryptocurrency company, through, and with the assistance of, his wireless
`
`carrier T-Mobile. On or about July 23, 2017, hackers targeted Mr. Middleton’s
`
`cryptocurrency account by accessing his account at T-Mobile which he maintained for
`
`the use of Veritaseum and himself. In order to gain access to Mr. Middleton’s financial
`
`accounts, a party unknown to Plaintiffs called T-Mobile pretending to be Mr. Middleton
`
`and seeking to conduct a SIM card swap. T-Mobile denied that request. The same or a
`
`
`
`3
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 4 of 25 PageID #: 4
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`related party proceeded to call three more times, each time seeking to conduct a SIM card
`
`swap. On the next two attempts, T-Mobile denied the request. On the fourth attempt, T-
`
`Mobile granted access to this unknown party without Mr. Middleton’s authorization.
`
`7.
`
`T-Mobile then swapped Mr. Middleton’s SIM card and transferred control
`
`of Mr. Middleton’s phone number to a device under the control of the unknown party.
`
`That party was a hacker, who immediately took control of Mr. Middleton’s phone,
`
`accessed multiple accounts of Mr. Middleton and Veritaseum on his phone, accessed Mr.
`
`Middleton’s personal and financial information, and ultimately accessed his corporate
`
`and personal cryptocurrency addresses, wallets and online exchange accounts for holding
`
`cryptocurrency, using the access provided by T-Mobile to bypass the two-factor
`
`authentication (also known as "2FA") security measures.
`
`8.
`
`Mr. Middleton’s corporate and personal cryptocurrency addresses, wallets
`
`and online exchange accounts contained $8.7 million of cryptocurrency. The hacker
`
`proceeded to transfer $8.7 million of cryptocurrency from Mr. Middleton’s corporate and
`
`personal cryptocurrency addresses, wallets and online exchange accounts to a separate
`
`cryptocurrency address and wallet owned and controlled by the hacker.
`
`9.
`
`Mr. Middleton immediately contacted T-Mobile and spoke with T-Mobile
`
`representatives, including members of T-Mobile's security department about the issue. T-
`
`Mobile’s representatives confirmed that T-Mobile permitted an unauthorized SIM swap
`
`and that T-Mobile would take steps to avoid future SIM swap occurrences.
`
`10.
`
`Nevertheless, after the initial SIM swap, hackers continued to gain access
`
`to Mr. Middleton’s phone by performing additional unauthorized SIM swaps with T-
`
`
`
`4
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 5 of 25 PageID #: 5
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`Mobile’s assistance. Despite T-Mobile’s promise to Mr. Middleton that it would prevent
`
`future SIM swaps, hackers persuaded T-Mobile employees to authorize SIM swaps on
`
`August 22, 2017, September 16, 2017, and twice on October 4, 2017. After each
`
`unauthorized SIM swap, Mr. Middleton reported the issue to T-Mobile and T-Mobile
`
`confirmed the unauthorized SIM swap, however, T-Mobile did not take sufficient action
`
`to prevent future SIM swaps from occurring. Indeed, Mr. Middleton was on a call with
`
`T-Mobile’s security representatives, discussing the unauthorized October 4, 2017 SIM
`
`swap, and receiving assurance that T-Mobile had addressed the issue and taken steps to
`
`avoid any future SIM swaps, when the phone cut off because T-Mobile had permitted yet
`
`another unauthorized SIM swap.
`
`11.
`
`Even after those five unauthorized SIM swaps in 2017, Mr. Middleton
`
`continued to be victimized by unauthorized SIM swaps in 2018 and 2019. Mr. Middleton
`
`made repeated complaints to T-Mobile in 2018 and 2019 regarding these instances of
`
`unauthorized access to his T-Mobile account. After each such complaint, T-Mobile
`
`failed to take corrective action or do anything to stop the unauthorized access to his T-
`
`Mobile account.
`
`12. Most striking, T-Mobile, itself, conceded its own failure to act in response
`
`to this unauthorized hacking of Mr. Middleton’s account. In a letter to Mr. Middleton
`
`dated June 20, 2018, nearly one year after T-Mobile gave hackers unauthorized access to
`
`Mr. Middleton’s account and caused $8.7 million in losses, T-Mobile reported:
`
`We recently detected unauthorized activity on your T-Mobile account,
`during which an unknown party would have had access to Customer
`Proprietary Network Information ("CPNI").
`
`
`
`
`5
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 6 of 25 PageID #: 6
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`13.
`
`As a wireless phone carrier, T-Mobile has a well-established duty to its
`
`customers to protect the privacy of its customers’ personal and financial information from
`
`unauthorized access, including under the FCA. Indeed, FCA, Section 222(c)(1) expressly
`
`restricts T-Mobile from the unauthorized disclosure of CPNI.
`
`14.
`
`As further described and acknowledged by the FTC’s Chief Technologist
`
`Lorrie Craynor, “mobile carriers are in a better position than their customers to prevent
`
`identity theft through mobile account hijacking and fraudulent new accounts. . . . Carriers
`
`should adopt a multi-level approach to authenticating both existing and new customers
`
`and require their own employees as well as third-party retailers to use it for all
`
`transactions.”
`
`15.
`
`T-Mobile abjectly failed in that duty by repeatedly providing hackers with
`
`unauthorized access to Mr. Middleton’s account and Plaintiffs’ personal, business and
`
`financial information. T-Mobile failed to implement and/or practice policies and
`
`procedures to sufficiently protect Mr. Middleton’s information, it failed to train and
`
`supervise its employees, who repeatedly provided unauthorized access to thieves, and it
`
`failed to take corrective action in response to this unauthorized access, as is clear from
`
`the repeated and successive hacking of Mr. Middleton’s phone with the assistance of T-
`
`Mobile employees. T-Mobile’s actions and/or failure to act demonstrate reckless
`
`disregard for the rights of Mr. Middleton and T-Mobile’s obligations and duties under the
`
`law.
`
`16.
`
`As a result of T-Mobile’s breaches of security, Plaintiffs lost $8.7 million
`
`worth of cryptocurrency and Mr. Middleton was subjected to repeated, traumatizing
`
`
`
`6
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 7 of 25 PageID #: 7
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`attacks on his accounts that deprived him of access to his cell phone and exposed his
`
`personal and financial information to thieves. Plaintiffs also suffered significant and
`
`material loss of business goodwill and reputation as news of the hacks circulated
`
`throughout the financial, general and industry-specific media. Due to the severity of
`
`Plaintiffs’ financial loss and the repeated nature of the attacks, Mr. Middleton
`
`experienced and continues to experience anxiety and fear of financial injuries and
`
`unwanted publicity due to identity theft. These episodes have caused him great
`
`emotional distress and consequent physical illness stemming from anxiety and fear,
`
`exacerbated by the ongoing nature of the attacks on his T-Mobile account.
`
`JURISDICTION AND VENUE
`
`17.
`
`This Court has jurisdiction over this matter under 28 U.S.C. § 1331
`
`because this case arises under federal question jurisdiction under the Federal
`
`Communications Act (“FCA”). The Court has supplemental jurisdiction under 28 U.S.C.
`
`§ 1367 over the state law claims because the claims are derived from a common nucleus
`
`of operative facts. The Court also has jurisdiction over this matter under 28 U.S.C. §
`
`1332 and in that the amount in controversy exceeds $75,000 and Plaintiffs and
`
`Defendants are citizens of different states and/or citizens of a foreign state in that Plaintiff
`
`Mr. Middleton is domiciled in the state of New York, Plaintiff Veritaseum, LLC is an
`
`entity with a principal place of business in the state of New York and Defendant T-
`
`Mobile is a corporation with a principal place of business in the state of Washington.
`
`18.
`
`Venue is proper in this Court under 28 U.S.C. §§ 1391(b)(3)(1), (b)(2), (c)
`
`and (d) because a substantial part of the events or omissions giving rise to this Complaint
`
`
`
`7
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 8 of 25 PageID #: 8
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`occurred in this District. Plaintiffs have or at the time of the occurrence, had, either a
`
`residence or principal place of business in Manhattan and Brooklyn, New York. Mr.
`
`Middleton obtained wireless services from Defendant T-Mobile in New York in or about
`
`January 2009. Defendant’s violation of Plaintiffs’ privacy in those services is the subject
`
`of this complaint. Mr. Middleton contracted at all times relevant to the allegations herein
`
`to receive wireless services from Defendant T-Mobile for a telephone number with a
`
`New York City area code.
`
`PARTIES
`
`19.
`
`Plaintiff Mr. Middleton is a citizen of the United States of America, and a
`
`resident in the State of New York. Mr. Middleton entered into a contract with T-Mobile
`
`at least as early as 2017.
`
`20.
`
`Plaintiff Veritaseum, LLC is a company operating within the United States
`
`of America and formed under the laws of the State of Delaware. Veritaseum’s
`
`headquarters and principal place of business was New York, New York. Mr. Middleton is
`
`the sole owner of Veritaseum and he used his T-Mobile account for the business of
`
`Veritaseum.
`
`21.
`
`Defendant T-Mobile USA, Inc. is the United States operating entity of T-
`
`Mobile International AG & Co. T-Mobile, USA, Inc.’s headquarters and principal place
`
`of business in the United States is in Bellevue, Washington, in the County of King, WA.
`
`The practices and acts of T-Mobile as alleged in this Complaint have been “charges,
`
`practices, classifications, and regulations” as defined in the FCA.
`
`
`
`8
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 9 of 25 PageID #: 9
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`FACTS AND ALLEGATIONS COMMON TO ALL CLAIMS
`
`22.
`
`T-Mobile markets and sells wireless telephone service through
`
`standardized wireless service plans at various retail locations, online sales, and over the
`
`telephone. In connection with its wireless services, T-Mobile maintains wireless accounts
`
`enabling its customers to have access to information about the services they purchase
`
`from T-Mobile.
`
`23.
`
`It is widely recognized that mishandling of customer wireless accounts can
`
`facilitate identify theft and related consumer harms and instances of such mishandling has
`
`occurred on numerous occasions at T-Mobile.
`
`24.
`
`Among other things, T-Mobile’s Privacy Policy states: “We use a variety
`
`of administrative, technical, and physical security measures designed to protect your
`
`personal data against accidental, unlawful, or unauthorized destruction, loss, alteration,
`
`access, disclosure, or use while it is under our control. We maintain authentication
`
`procedures when you contact us by phone or in retail locations to help ensure that access
`
`is provided only to the primary account holder or authorized users of the account. Online
`
`access to your personal data is protected through passwords and other safeguards.”
`
`25.
`
`T-Mobile’s sales and marketing materials state: “We have implemented
`
`various policies and measures to ensure that our interactions are with you or those you
`
`authorize to interact with us on your behalf – and not with others pretending to be you or
`
`claiming a right to access your information.”
`
`26.
`
`T-Mobile’s sales and marketing materials further state that, unless T-
`
`Mobile can verify the caller’s identity through certain personal information or a PIN if
`
`
`
`9
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 10 of 25 PageID #: 10
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`requested by the customer, T-Mobile’s policy is not to release any account specific
`
`information.
`
`27.
`
`Despite these statements and other similar statements and promises, T-
`
`Mobile failed to provide reasonable and appropriate security to prevent unauthorized
`
`access to customer accounts. Under T-Mobile’s procedures, an unauthorized person,
`
`including T-Mobile’s own agents and employees, acting without the customer’s
`
`permission, can be authenticated and then can access and make changes to all the
`
`information to which the legitimate customer could access and make changes. T-Mobile
`
`also failed to disclose or disclosed misleading information to hide that its automated
`
`processes or human performances often fall short of its expressed and implied
`
`representations or promises, and such failures should have been foreseen by T-Mobile.
`
`28.
`
`In or about January 2009, Plaintiff Reginald Middleton entered into a
`
`service agreement with T-Mobile for service on a wireless telephone.
`
`29.
`
`In or about 2014, Mr. Middleton founded a cryptocurrency company
`
`called Veritaseum. Mr. Middletown was the sole member and owner of Veritaseum.
`
`Veritaseum paid for the T-Mobile account and Mr. Middleton accessed his Veritaseum
`
`accounts, wallets and exchanges through his T-Mobile account under the belief that T-
`
`Mobile was protecting Plaintiffs’ personal, business and financial information.
`
`30.
`
`On or about July 23, 2017, a party unknown to Plaintiffs called T-Mobile,
`
`pretending to be Mr. Middleton. According to T-Mobile, the unknown party called 3
`
`times seeking to conduct a SIM swap and T-Mobile refused those requests each time. For
`
`reasons completely unexplained by T-Mobile, T-Mobile granted this unknown party
`
`
`
`10
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 11 of 25 PageID #: 11
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`access to Mr. Middleton’s account on the 4th call. T-Mobile subsequently swapped Mr.
`
`Middleton’s SIM card and transferred control of Mr. Middleton’s phone number to a
`
`device under the control of the unknown party.
`
`31.
`
`Based on T-Mobile’s actions, the unknown party was able to bypass the
`
`two-factor authentication (also known as “2FA”) security measures Mr. Middleton had
`
`put in place – based on T-Mobile’s assurances that 2FA would protect Plaintiffs’
`
`information – thereby compromising Plaintiffs’ personal, business and financial accounts.
`
`32.
`
`On or about July 23, 2017, using Plaintiffs’ credentials obtained from T-
`
`Mobile, the unknown party stole approximately $8.7M from Plaintiffs’ corporate and
`
`personal cryptocurrency addresses, wallets and online exchange accounts. Further, T-
`
`Mobile similarly provided access to hackers on at least August 22, 2017, September 16,
`
`2017 and twice on October 4, 2017, and continued to provide access during to hackers in
`
`2018 and 2019.
`
`33.
`
`Astonishingly, nearly one year after T-Mobile approved the unauthorized
`
`SIM swap, T-Mobile admitted to Mr. Middleton that, based on its records, he did not
`
`authorize the transfer of his phone number to a new device. See Ex. A. Strikingly,
`
`despite the fact that Mr. Middleton reported the phone hacks to T-Mobile
`
`contemporaneously, T-Mobile reported – one year later – that it “recently detected
`
`unauthorized activity on your T-Mobile account,” and identified at least five
`
`unauthorized SIM changes – occurring on at least July 23, 2017, August 22, 2017,
`
`September 16, 2017 and twice on October 4, 2017. Id.
`
`
`
`11
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 12 of 25 PageID #: 12
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`34.
`
`By its procedures, practices, and regulations, T-Mobile engages in
`
`practices that, taken together, fail to provide reasonable and appropriate security to
`
`prevent unauthorized access to its customer wireless accounts, allowing unauthorized
`
`persons to be authenticated and then granted access to sensitive customer wireless
`
`account data.
`
`35.
`
`In particular, T-Mobile has failed to establish or implement reasonable
`
`policies, procedures, or regulations governing the creation and authentication of user
`
`credentials for authorized customers accessing T-Mobile accounts, creating unreasonable
`
`risk of unauthorized access. As such, at all times material hereto, T-Mobile has failed to
`
`ensure that only authorized persons have such access and that customer accounts are
`
`secure.
`
`36.
`
`Among other things, T-Mobile:
`
`a. failed to establish or enforce rules sufficient to ensure only authorized
`
`persons have access to T-Mobile customer accounts;
`
`b. failed to establish appropriate rules, policies, and procedures for the
`
`supervision and control of its officers, agents, or employees;
`
`c. failed to establish or enforce rules, or provide adequate supervision or
`
`training, sufficient to ensure that all its employees or agents follow the
`
`same policies and procedures. For example, it is often possible to
`
`persuade one of T-Mobile agents not to apply the stated security policy
`
`and allow unauthorized access without providing a PIN. Similarly, on
`
`information and belief, T-Mobile agents or employees generally act on
`
`
`
`12
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 13 of 25 PageID #: 13
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`their own regardless of what is in the notes of a customer account,
`
`failing, among other things, to accommodate customers’ security
`
`requests;
`
`d. failed to adequately safeguard and protect its customer wireless
`
`accounts, including that of Plaintiffs, so unauthorized third parties
`
`were able to obtain access to their account;
`
`e. permitted the sharing of and access to user credentials among T-
`
`Mobile’s agents or employees without a pending request from the
`
`customer, thus reducing likely detection of, and accountability for,
`
`unauthorized accesses;
`
`f. failed to suspend user credentials after a certain number of
`
`unsuccessful access attempts. For example, unauthorized third parties
`
`would call numerous times trying to gain access to customer accounts
`
`before they finally got an agent on the line that would authorize access
`
`without requiring, for example, a PIN;
`
`g. failed to adequately train and supervise its agents and employees,
`
`allowing its agents or employees, without authorization or approval, to
`
`unilaterally access and make changes to customer accounts as if the
`
`customer had so authorized;
`
`h. allowed porting out of phone numbers without properly confirming
`
`that the request was coming from the legitimate customers;
`
`13
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 14 of 25 PageID #: 14
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`i.
`
`lacked proper monitoring solutions and thus failed to monitor its
`
`systems for the presence of unauthorizes access in a manner that
`
`would enable T-Mobile to detect the intrusion, so that the breach of
`
`security and diversion of customer information was able to occur in
`
`the Plaintiffs’ situation and continued until after their virtual currency
`
`account was compromised;
`
`j.
`
`failed to implement simple, low-cost, and readily available defenses to
`
`identity thieves such as delaying transfers from accounts on which the
`
`password was recently changed or simply delaying transfers from
`
`accounts to allow for additional verifications from the customers; and
`
`k. failed to build adequate internal tools to help protect its customers
`
`against hackers and account takeovers, including protection from
`
`phone porting and wrongdoing by its own agents or employees acting
`
`on their own behalf or on behalf or at the request of a third party.
`
`37.
`
`Due to the security practices and procedures described herein, T-Mobile
`
`established user credential structures that created an unreasonable risk of unauthorized
`
`access to customer accounts, including that of Plaintiffs.
`
`38.
`
`On information and belief, T-Mobile has long been aware of the security
`
`risks presented by, inter alia, its weak user credential structures or procedures. From
`
`prior attacks on customer accounts, T-Mobile has long had notice of those risks. In
`
`addition, T- Mobile did not use readily available security measures to prevent or limit
`
`
`
`14
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 15 of 25 PageID #: 15
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`such attacks. At the very least, Mr. Middleton himself gave notice of failures, breaches
`
`and insufficiencies in T-Mobile’s security and privacy practices no less than 5 times.
`
`39.
`
`As a result of T-Mobile’s faulty security practices, an attacker could easily
`
`gain access to a customer’s account and then use it to gain access to the customer’s
`
`sensitive information such as bank accounts or virtual currency accounts, among other
`
`things.
`
`40.
`
`As such, T-Mobile’s security measures were entirely inadequate to protect
`
`its customers, including Plaintiffs.
`
`41.
`
`Lack of adequate security in T-Mobile’s systems, practices, or procedures
`
`enabled the unauthorized third parties to access Plaintiff’s wireless account, which then
`
`enabled the unauthorized third parties to access Plaintiffs’ virtual currency accounts,
`
`private cloud data storage and computer accounts, email services and possibly other
`
`sensitive information, where mobile phone numbers, text messages and phone call-back
`
`features are/were used as the first or second factor in two factor authentication (2FA)
`
`security schemes – which, at the time of the security breaches negligently allowed by T-
`
`Mobile, were the standard secure log-in procedures, and are still used quite often today.
`
`42.
`
`As such, T-Mobile failed in the duty and responsibility it owed to
`
`Plaintiffs to protect their account and phone number. Even if the subject incident was due
`
`to an “inside” job or human performance falling short, T-Mobile is responsible for its
`
`agents. And, while T- Mobile can outsource customer service functions, T-Mobile cannot
`
`transfer accountability.
`
`
`
`15
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 16 of 25 PageID #: 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`43.
`
`Had T-Mobile provided adequate account security or exercised reasonable
`
`oversight, Plaintiffs would not have lost use and access to their phone number and its
`
`associated account information or otherwise been damaged.
`
`44.
`
`As a direct consequence of Defendant’s actions or inactions, Plaintiffs
`
`have suffered and continues to suffer actual damages, including: (a) lost time; (b)
`
`embarrassment and humiliation through negative press, among other things; (c)
`
`aggravation and frustration; (d) fear; (e) anxiety; (f) financial uncertainty and loss of
`
`business goodwill; (g) unease; (h) emotional distress, and (i) expenses, including missed
`
`work, delayed projects, and attorneys’ fees and costs, as well as the costs inherent in
`
`being deprived of one’s financial assets, such as the cost of not being able to sell those
`
`financial assets for cash at will to address Plaintiffs’ financial needs.
`
`COUNT I
`FEDERAL COMMUNICATIONS ACT
`
`45.
`
`Plaintiffs incorporate herein by reference the allegations above, inclusive,
`
`
`
`as though fully set forth herein.
`
`46.
`
`The FCA regulates interstate telecommunications carriers such as
`
`Defendants.
`
`47.
`
`Defendant T-Mobile is a common carrier engaged in interstate
`
`communication by wire for the purpose of furnishing communication services within the
`
`meaning of section 201(a) of the FCA. As “common carrier,” T-Mobile is subject to the
`
`substantive requirements of sections 201 through 222 of the FCA.
`
`48.
`
`Under section 201(b), common carriers may impose only those practices,
`
`classifications, and regulations that are “just and reasonable.” And, under section 202(a),
`
`
`
`16
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 17 of 25 PageID #: 17
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`common carriers are prohibited from making any unjust or unreasonable discrimination
`
`in “practices, classifications, regulations, facilities, or services.”
`
`49.
`
`Should a common carrier “omit to do any act, matter, or thing in this
`
`chapter required to be done,” section 206 dictates that the “common carrier shall be liable
`
`to the person or persons injured thereby for the full amount of damages sustained in
`
`consequence of any such violation ... together with a reasonable counsel or attorney's
`
`fee[.]”
`
`50.
`
`T-Mobile’s conduct, as alleged here, constitutes a knowing violation of
`
`section 201(b) and section 202(a). Further, under section 217, T-Mobile is also liable for
`
`the acts, omissions, or failures, as alleged in this Complaint, of any of its officers, agents,
`
`or other persons acting for or employed by Defendant.
`
`51.
`
`Additionally, T-Mobile is a “telecommunications carrier” within the
`
`meaning of section 222, which requires every telecommunication carrier to protect,
`
`among other things, the confidentiality of proprietary information of, and relating to,
`
`customers.
`
`52.
`
`T-Mobile violated its duty, under 47 U.S.C. § 222(a), by failing to protect
`
`the confidentiality of Plaintiffs’ proprietary information. T-Mobile violated 47 U.S.C. §
`
`222(c) by using, disclosing, and/or permitting access to Plaintiffs’ CPNI without the
`
`notice, consent, and/or legal authorization required under the FCA. T-Mobile also caused
`
`and/or permitted third parties to use, disclose, and/or permit access to Plaintiffs’ CPNI
`
`without the notice, consent, and/or legal authorization required under the FCA.
`
`
`
`17
`
`
`
`

`

`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 18 of 25 PageID #: 18
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`53.
`
`T-Mobile violated 47 U.S.C. § 222(c) by permitting an unauthorized party
`
`to access the CPNI, resulting in the theft, by that party or others associated with that
`
`party, of $8.7 million in cryptocurrency, as well as access to personal and financial
`
`information of Plaintiffs. In addition to this financial loss, this unauthorized third-party
`
`access and theft caused Mr. Middleton great distress and emotional harm.
`
`54.
`
`T-Mobile’s conduct, as alleged here, constitutes a knowing violation of
`
`section 222.
`
`55.
`
`As a direct consequence of Defendant’s violations of the FCA, Plaintiffs
`
`have been damaged and continue to be damaged in an amount to be proven at trial.
`
`COUNT II
`NEGLIGENCE
`Plaintiffs incorporate herein by reference the allegations above, inclusive,
`
`56.
`
`as though fully set forth herein.
`
`57.
`
`T-Mobile owed Plaintiffs a duty of, inter alia, care in the handling and
`
`safeguarding of Mr. Middleton’s customer account for the purposes of providing wireless
`
`services.
`
`58.
`
`T-Mobile owed a duty to Veritaseum to the extent Mr. Middletown
`
`maintained his T-Mobile account in his capacity as founder of Veritaseum and for the
`
`benefit of Veritaseum. T-Mobile breached the duty it owed to Veri

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket