`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT FOR THE
`EASTERN DISTRICT OF NEW YORK
`
`
`
`
`
`COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`Reginald Middleton,
`
`and
`
`Veritaseum, LLC,
`
` Plaintiffs,
`
` v.
`
`T-Mobile US, Inc.,
`
` Defendant.
`
`Plaintiffs Reginald Middleton and Veritaseum LLC (collectively, “Plaintiffs” and
`
`individually “Mr. Middleton” and “Veritaseum”), by and through their counsel, complain
`
`and allege as follows against T-Mobile US, Inc. (“Defendant” or “T-Mobile”):
`
`NATURE OF THE CASE
`
`1.
`
`This action arises out of T-Mobile’s failure to protect its customers’ highly
`
`sensitive personal and financial information. As a result of T-Mobile’s gross negligence
`
`in protecting Plaintiffs’ information, its negligent hiring and supervision of T-Mobile
`
`employees who were responsible for safeguarding that information, and its violation of
`
`laws that expressly protect the information of wireless carrier customers, Plaintiffs lost
`
`$8.7 million in cryptocurrency and Mr. Middleton suffered and continues to suffer severe
`
`anxiety, fear and emotional distress relating to the repeated instances of identity theft that
`
`
`
`1
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 2 of 25 PageID #: 2
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`he experienced as a result of T-Mobile’s inadequate protection of his personal and
`
`financial information.
`
`2.
`
`T-Mobile is one of the three largest wireless carriers in the United States.
`
`As a leading wireless carrier, T-Mobile holds itself out, and is required by law to be
`
`equipped to protect the personal and financial information of its customers. Consistent
`
`with its duty to protect such information, T-Mobile promises its customers that it uses a
`
`variety of administrative, technical, and physical security measures designed to protect its
`
`customers’ personal data—and particularly their data-rich SIM cards— against
`
`accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or
`
`use while it is under their control.
`
`3.
`
`As T-Mobile is aware, and has been widely reported in the press and by
`
`the government regulators, including the Federal Trade Commission (“FTC”) and Federal
`
`Communications Commission (“FCC”), fraudsters have been increasingly using schemes
`
`to access customer personal and financial information by causing unauthorized changes
`
`in customers’ wireless accounts. The purpose of these schemes is to compromise
`
`customers’ mobile identities, access confidential data, take over their financial accounts,
`
`and effectuate fraudulent transactions.
`
`4.
`
`One of the most damaging and pervasive schemes is fraudulent SIM card
`
`swapping. In SIM card swapping schemes, a hacker convinces a mobile phone carrier to
`
`transfer access of a targeted person’s phone number from her registered SIM card — the
`
`small portable chip that houses identification information connecting an account to the
`
`cell network — to the hacker’s SIM card. Once the hacker has access to this information,
`
`
`
`2
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 3 of 25 PageID #: 3
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`the hacker takes over the user’s cell phone. Often, the hacker targets individuals who are
`
`known, or expected, to hold large quantities of cryptocurrency. If the target has
`
`cryptocurrency account information on his or her phone, the hacker can transfer that
`
`cryptocurrency to his or her own accounts.
`
`5.
`
`In 2016, the FTC’s Chief Technologist described these issues in a widely
`
`read post about her experience as a victim of an identity theft scheme and specifically
`
`called attention to the insidious “SIM swapping” scheme in which thieves use a victim’s
`
`hijacked phone number to gain access to financial accounts that use two-factor
`
`authentication through text messages. See “Your mobile phone account could be hijacked
`
`by an identity thief,” Lorrie Cranor, FTC Chief Technologist (Jun 7, 2016).
`
`https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-
`
`could-be-hijacked-identity-thief. T-Mobile was undoubtedly aware of this scheme and
`
`represented to its customers that they were protected against this type of identity theft
`
`scheme.
`
`6.
`
`Nevertheless, in 2017, hackers began a campaign to victimize Reginald
`
`Middleton, a well-known holder of cryptocurrency and founder and sole owner of
`
`Veritaseum, a cryptocurrency company, through, and with the assistance of, his wireless
`
`carrier T-Mobile. On or about July 23, 2017, hackers targeted Mr. Middleton’s
`
`cryptocurrency account by accessing his account at T-Mobile which he maintained for
`
`the use of Veritaseum and himself. In order to gain access to Mr. Middleton’s financial
`
`accounts, a party unknown to Plaintiffs called T-Mobile pretending to be Mr. Middleton
`
`and seeking to conduct a SIM card swap. T-Mobile denied that request. The same or a
`
`
`
`3
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 4 of 25 PageID #: 4
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`related party proceeded to call three more times, each time seeking to conduct a SIM card
`
`swap. On the next two attempts, T-Mobile denied the request. On the fourth attempt, T-
`
`Mobile granted access to this unknown party without Mr. Middleton’s authorization.
`
`7.
`
`T-Mobile then swapped Mr. Middleton’s SIM card and transferred control
`
`of Mr. Middleton’s phone number to a device under the control of the unknown party.
`
`That party was a hacker, who immediately took control of Mr. Middleton’s phone,
`
`accessed multiple accounts of Mr. Middleton and Veritaseum on his phone, accessed Mr.
`
`Middleton’s personal and financial information, and ultimately accessed his corporate
`
`and personal cryptocurrency addresses, wallets and online exchange accounts for holding
`
`cryptocurrency, using the access provided by T-Mobile to bypass the two-factor
`
`authentication (also known as "2FA") security measures.
`
`8.
`
`Mr. Middleton’s corporate and personal cryptocurrency addresses, wallets
`
`and online exchange accounts contained $8.7 million of cryptocurrency. The hacker
`
`proceeded to transfer $8.7 million of cryptocurrency from Mr. Middleton’s corporate and
`
`personal cryptocurrency addresses, wallets and online exchange accounts to a separate
`
`cryptocurrency address and wallet owned and controlled by the hacker.
`
`9.
`
`Mr. Middleton immediately contacted T-Mobile and spoke with T-Mobile
`
`representatives, including members of T-Mobile's security department about the issue. T-
`
`Mobile’s representatives confirmed that T-Mobile permitted an unauthorized SIM swap
`
`and that T-Mobile would take steps to avoid future SIM swap occurrences.
`
`10.
`
`Nevertheless, after the initial SIM swap, hackers continued to gain access
`
`to Mr. Middleton’s phone by performing additional unauthorized SIM swaps with T-
`
`
`
`4
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 5 of 25 PageID #: 5
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`Mobile’s assistance. Despite T-Mobile’s promise to Mr. Middleton that it would prevent
`
`future SIM swaps, hackers persuaded T-Mobile employees to authorize SIM swaps on
`
`August 22, 2017, September 16, 2017, and twice on October 4, 2017. After each
`
`unauthorized SIM swap, Mr. Middleton reported the issue to T-Mobile and T-Mobile
`
`confirmed the unauthorized SIM swap, however, T-Mobile did not take sufficient action
`
`to prevent future SIM swaps from occurring. Indeed, Mr. Middleton was on a call with
`
`T-Mobile’s security representatives, discussing the unauthorized October 4, 2017 SIM
`
`swap, and receiving assurance that T-Mobile had addressed the issue and taken steps to
`
`avoid any future SIM swaps, when the phone cut off because T-Mobile had permitted yet
`
`another unauthorized SIM swap.
`
`11.
`
`Even after those five unauthorized SIM swaps in 2017, Mr. Middleton
`
`continued to be victimized by unauthorized SIM swaps in 2018 and 2019. Mr. Middleton
`
`made repeated complaints to T-Mobile in 2018 and 2019 regarding these instances of
`
`unauthorized access to his T-Mobile account. After each such complaint, T-Mobile
`
`failed to take corrective action or do anything to stop the unauthorized access to his T-
`
`Mobile account.
`
`12. Most striking, T-Mobile, itself, conceded its own failure to act in response
`
`to this unauthorized hacking of Mr. Middleton’s account. In a letter to Mr. Middleton
`
`dated June 20, 2018, nearly one year after T-Mobile gave hackers unauthorized access to
`
`Mr. Middleton’s account and caused $8.7 million in losses, T-Mobile reported:
`
`We recently detected unauthorized activity on your T-Mobile account,
`during which an unknown party would have had access to Customer
`Proprietary Network Information ("CPNI").
`
`
`
`
`5
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 6 of 25 PageID #: 6
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`13.
`
`As a wireless phone carrier, T-Mobile has a well-established duty to its
`
`customers to protect the privacy of its customers’ personal and financial information from
`
`unauthorized access, including under the FCA. Indeed, FCA, Section 222(c)(1) expressly
`
`restricts T-Mobile from the unauthorized disclosure of CPNI.
`
`14.
`
`As further described and acknowledged by the FTC’s Chief Technologist
`
`Lorrie Craynor, “mobile carriers are in a better position than their customers to prevent
`
`identity theft through mobile account hijacking and fraudulent new accounts. . . . Carriers
`
`should adopt a multi-level approach to authenticating both existing and new customers
`
`and require their own employees as well as third-party retailers to use it for all
`
`transactions.”
`
`15.
`
`T-Mobile abjectly failed in that duty by repeatedly providing hackers with
`
`unauthorized access to Mr. Middleton’s account and Plaintiffs’ personal, business and
`
`financial information. T-Mobile failed to implement and/or practice policies and
`
`procedures to sufficiently protect Mr. Middleton’s information, it failed to train and
`
`supervise its employees, who repeatedly provided unauthorized access to thieves, and it
`
`failed to take corrective action in response to this unauthorized access, as is clear from
`
`the repeated and successive hacking of Mr. Middleton’s phone with the assistance of T-
`
`Mobile employees. T-Mobile’s actions and/or failure to act demonstrate reckless
`
`disregard for the rights of Mr. Middleton and T-Mobile’s obligations and duties under the
`
`law.
`
`16.
`
`As a result of T-Mobile’s breaches of security, Plaintiffs lost $8.7 million
`
`worth of cryptocurrency and Mr. Middleton was subjected to repeated, traumatizing
`
`
`
`6
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 7 of 25 PageID #: 7
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`attacks on his accounts that deprived him of access to his cell phone and exposed his
`
`personal and financial information to thieves. Plaintiffs also suffered significant and
`
`material loss of business goodwill and reputation as news of the hacks circulated
`
`throughout the financial, general and industry-specific media. Due to the severity of
`
`Plaintiffs’ financial loss and the repeated nature of the attacks, Mr. Middleton
`
`experienced and continues to experience anxiety and fear of financial injuries and
`
`unwanted publicity due to identity theft. These episodes have caused him great
`
`emotional distress and consequent physical illness stemming from anxiety and fear,
`
`exacerbated by the ongoing nature of the attacks on his T-Mobile account.
`
`JURISDICTION AND VENUE
`
`17.
`
`This Court has jurisdiction over this matter under 28 U.S.C. § 1331
`
`because this case arises under federal question jurisdiction under the Federal
`
`Communications Act (“FCA”). The Court has supplemental jurisdiction under 28 U.S.C.
`
`§ 1367 over the state law claims because the claims are derived from a common nucleus
`
`of operative facts. The Court also has jurisdiction over this matter under 28 U.S.C. §
`
`1332 and in that the amount in controversy exceeds $75,000 and Plaintiffs and
`
`Defendants are citizens of different states and/or citizens of a foreign state in that Plaintiff
`
`Mr. Middleton is domiciled in the state of New York, Plaintiff Veritaseum, LLC is an
`
`entity with a principal place of business in the state of New York and Defendant T-
`
`Mobile is a corporation with a principal place of business in the state of Washington.
`
`18.
`
`Venue is proper in this Court under 28 U.S.C. §§ 1391(b)(3)(1), (b)(2), (c)
`
`and (d) because a substantial part of the events or omissions giving rise to this Complaint
`
`
`
`7
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 8 of 25 PageID #: 8
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`occurred in this District. Plaintiffs have or at the time of the occurrence, had, either a
`
`residence or principal place of business in Manhattan and Brooklyn, New York. Mr.
`
`Middleton obtained wireless services from Defendant T-Mobile in New York in or about
`
`January 2009. Defendant’s violation of Plaintiffs’ privacy in those services is the subject
`
`of this complaint. Mr. Middleton contracted at all times relevant to the allegations herein
`
`to receive wireless services from Defendant T-Mobile for a telephone number with a
`
`New York City area code.
`
`PARTIES
`
`19.
`
`Plaintiff Mr. Middleton is a citizen of the United States of America, and a
`
`resident in the State of New York. Mr. Middleton entered into a contract with T-Mobile
`
`at least as early as 2017.
`
`20.
`
`Plaintiff Veritaseum, LLC is a company operating within the United States
`
`of America and formed under the laws of the State of Delaware. Veritaseum’s
`
`headquarters and principal place of business was New York, New York. Mr. Middleton is
`
`the sole owner of Veritaseum and he used his T-Mobile account for the business of
`
`Veritaseum.
`
`21.
`
`Defendant T-Mobile USA, Inc. is the United States operating entity of T-
`
`Mobile International AG & Co. T-Mobile, USA, Inc.’s headquarters and principal place
`
`of business in the United States is in Bellevue, Washington, in the County of King, WA.
`
`The practices and acts of T-Mobile as alleged in this Complaint have been “charges,
`
`practices, classifications, and regulations” as defined in the FCA.
`
`
`
`8
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 9 of 25 PageID #: 9
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`FACTS AND ALLEGATIONS COMMON TO ALL CLAIMS
`
`22.
`
`T-Mobile markets and sells wireless telephone service through
`
`standardized wireless service plans at various retail locations, online sales, and over the
`
`telephone. In connection with its wireless services, T-Mobile maintains wireless accounts
`
`enabling its customers to have access to information about the services they purchase
`
`from T-Mobile.
`
`23.
`
`It is widely recognized that mishandling of customer wireless accounts can
`
`facilitate identify theft and related consumer harms and instances of such mishandling has
`
`occurred on numerous occasions at T-Mobile.
`
`24.
`
`Among other things, T-Mobile’s Privacy Policy states: “We use a variety
`
`of administrative, technical, and physical security measures designed to protect your
`
`personal data against accidental, unlawful, or unauthorized destruction, loss, alteration,
`
`access, disclosure, or use while it is under our control. We maintain authentication
`
`procedures when you contact us by phone or in retail locations to help ensure that access
`
`is provided only to the primary account holder or authorized users of the account. Online
`
`access to your personal data is protected through passwords and other safeguards.”
`
`25.
`
`T-Mobile’s sales and marketing materials state: “We have implemented
`
`various policies and measures to ensure that our interactions are with you or those you
`
`authorize to interact with us on your behalf – and not with others pretending to be you or
`
`claiming a right to access your information.”
`
`26.
`
`T-Mobile’s sales and marketing materials further state that, unless T-
`
`Mobile can verify the caller’s identity through certain personal information or a PIN if
`
`
`
`9
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 10 of 25 PageID #: 10
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`requested by the customer, T-Mobile’s policy is not to release any account specific
`
`information.
`
`27.
`
`Despite these statements and other similar statements and promises, T-
`
`Mobile failed to provide reasonable and appropriate security to prevent unauthorized
`
`access to customer accounts. Under T-Mobile’s procedures, an unauthorized person,
`
`including T-Mobile’s own agents and employees, acting without the customer’s
`
`permission, can be authenticated and then can access and make changes to all the
`
`information to which the legitimate customer could access and make changes. T-Mobile
`
`also failed to disclose or disclosed misleading information to hide that its automated
`
`processes or human performances often fall short of its expressed and implied
`
`representations or promises, and such failures should have been foreseen by T-Mobile.
`
`28.
`
`In or about January 2009, Plaintiff Reginald Middleton entered into a
`
`service agreement with T-Mobile for service on a wireless telephone.
`
`29.
`
`In or about 2014, Mr. Middleton founded a cryptocurrency company
`
`called Veritaseum. Mr. Middletown was the sole member and owner of Veritaseum.
`
`Veritaseum paid for the T-Mobile account and Mr. Middleton accessed his Veritaseum
`
`accounts, wallets and exchanges through his T-Mobile account under the belief that T-
`
`Mobile was protecting Plaintiffs’ personal, business and financial information.
`
`30.
`
`On or about July 23, 2017, a party unknown to Plaintiffs called T-Mobile,
`
`pretending to be Mr. Middleton. According to T-Mobile, the unknown party called 3
`
`times seeking to conduct a SIM swap and T-Mobile refused those requests each time. For
`
`reasons completely unexplained by T-Mobile, T-Mobile granted this unknown party
`
`
`
`10
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 11 of 25 PageID #: 11
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`access to Mr. Middleton’s account on the 4th call. T-Mobile subsequently swapped Mr.
`
`Middleton’s SIM card and transferred control of Mr. Middleton’s phone number to a
`
`device under the control of the unknown party.
`
`31.
`
`Based on T-Mobile’s actions, the unknown party was able to bypass the
`
`two-factor authentication (also known as “2FA”) security measures Mr. Middleton had
`
`put in place – based on T-Mobile’s assurances that 2FA would protect Plaintiffs’
`
`information – thereby compromising Plaintiffs’ personal, business and financial accounts.
`
`32.
`
`On or about July 23, 2017, using Plaintiffs’ credentials obtained from T-
`
`Mobile, the unknown party stole approximately $8.7M from Plaintiffs’ corporate and
`
`personal cryptocurrency addresses, wallets and online exchange accounts. Further, T-
`
`Mobile similarly provided access to hackers on at least August 22, 2017, September 16,
`
`2017 and twice on October 4, 2017, and continued to provide access during to hackers in
`
`2018 and 2019.
`
`33.
`
`Astonishingly, nearly one year after T-Mobile approved the unauthorized
`
`SIM swap, T-Mobile admitted to Mr. Middleton that, based on its records, he did not
`
`authorize the transfer of his phone number to a new device. See Ex. A. Strikingly,
`
`despite the fact that Mr. Middleton reported the phone hacks to T-Mobile
`
`contemporaneously, T-Mobile reported – one year later – that it “recently detected
`
`unauthorized activity on your T-Mobile account,” and identified at least five
`
`unauthorized SIM changes – occurring on at least July 23, 2017, August 22, 2017,
`
`September 16, 2017 and twice on October 4, 2017. Id.
`
`
`
`11
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 12 of 25 PageID #: 12
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`34.
`
`By its procedures, practices, and regulations, T-Mobile engages in
`
`practices that, taken together, fail to provide reasonable and appropriate security to
`
`prevent unauthorized access to its customer wireless accounts, allowing unauthorized
`
`persons to be authenticated and then granted access to sensitive customer wireless
`
`account data.
`
`35.
`
`In particular, T-Mobile has failed to establish or implement reasonable
`
`policies, procedures, or regulations governing the creation and authentication of user
`
`credentials for authorized customers accessing T-Mobile accounts, creating unreasonable
`
`risk of unauthorized access. As such, at all times material hereto, T-Mobile has failed to
`
`ensure that only authorized persons have such access and that customer accounts are
`
`secure.
`
`36.
`
`Among other things, T-Mobile:
`
`a. failed to establish or enforce rules sufficient to ensure only authorized
`
`persons have access to T-Mobile customer accounts;
`
`b. failed to establish appropriate rules, policies, and procedures for the
`
`supervision and control of its officers, agents, or employees;
`
`c. failed to establish or enforce rules, or provide adequate supervision or
`
`training, sufficient to ensure that all its employees or agents follow the
`
`same policies and procedures. For example, it is often possible to
`
`persuade one of T-Mobile agents not to apply the stated security policy
`
`and allow unauthorized access without providing a PIN. Similarly, on
`
`information and belief, T-Mobile agents or employees generally act on
`
`
`
`12
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 13 of 25 PageID #: 13
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`their own regardless of what is in the notes of a customer account,
`
`failing, among other things, to accommodate customers’ security
`
`requests;
`
`d. failed to adequately safeguard and protect its customer wireless
`
`accounts, including that of Plaintiffs, so unauthorized third parties
`
`were able to obtain access to their account;
`
`e. permitted the sharing of and access to user credentials among T-
`
`Mobile’s agents or employees without a pending request from the
`
`customer, thus reducing likely detection of, and accountability for,
`
`unauthorized accesses;
`
`f. failed to suspend user credentials after a certain number of
`
`unsuccessful access attempts. For example, unauthorized third parties
`
`would call numerous times trying to gain access to customer accounts
`
`before they finally got an agent on the line that would authorize access
`
`without requiring, for example, a PIN;
`
`g. failed to adequately train and supervise its agents and employees,
`
`allowing its agents or employees, without authorization or approval, to
`
`unilaterally access and make changes to customer accounts as if the
`
`customer had so authorized;
`
`h. allowed porting out of phone numbers without properly confirming
`
`that the request was coming from the legitimate customers;
`
`13
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 14 of 25 PageID #: 14
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`i.
`
`lacked proper monitoring solutions and thus failed to monitor its
`
`systems for the presence of unauthorizes access in a manner that
`
`would enable T-Mobile to detect the intrusion, so that the breach of
`
`security and diversion of customer information was able to occur in
`
`the Plaintiffs’ situation and continued until after their virtual currency
`
`account was compromised;
`
`j.
`
`failed to implement simple, low-cost, and readily available defenses to
`
`identity thieves such as delaying transfers from accounts on which the
`
`password was recently changed or simply delaying transfers from
`
`accounts to allow for additional verifications from the customers; and
`
`k. failed to build adequate internal tools to help protect its customers
`
`against hackers and account takeovers, including protection from
`
`phone porting and wrongdoing by its own agents or employees acting
`
`on their own behalf or on behalf or at the request of a third party.
`
`37.
`
`Due to the security practices and procedures described herein, T-Mobile
`
`established user credential structures that created an unreasonable risk of unauthorized
`
`access to customer accounts, including that of Plaintiffs.
`
`38.
`
`On information and belief, T-Mobile has long been aware of the security
`
`risks presented by, inter alia, its weak user credential structures or procedures. From
`
`prior attacks on customer accounts, T-Mobile has long had notice of those risks. In
`
`addition, T- Mobile did not use readily available security measures to prevent or limit
`
`
`
`14
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 15 of 25 PageID #: 15
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`such attacks. At the very least, Mr. Middleton himself gave notice of failures, breaches
`
`and insufficiencies in T-Mobile’s security and privacy practices no less than 5 times.
`
`39.
`
`As a result of T-Mobile’s faulty security practices, an attacker could easily
`
`gain access to a customer’s account and then use it to gain access to the customer’s
`
`sensitive information such as bank accounts or virtual currency accounts, among other
`
`things.
`
`40.
`
`As such, T-Mobile’s security measures were entirely inadequate to protect
`
`its customers, including Plaintiffs.
`
`41.
`
`Lack of adequate security in T-Mobile’s systems, practices, or procedures
`
`enabled the unauthorized third parties to access Plaintiff’s wireless account, which then
`
`enabled the unauthorized third parties to access Plaintiffs’ virtual currency accounts,
`
`private cloud data storage and computer accounts, email services and possibly other
`
`sensitive information, where mobile phone numbers, text messages and phone call-back
`
`features are/were used as the first or second factor in two factor authentication (2FA)
`
`security schemes – which, at the time of the security breaches negligently allowed by T-
`
`Mobile, were the standard secure log-in procedures, and are still used quite often today.
`
`42.
`
`As such, T-Mobile failed in the duty and responsibility it owed to
`
`Plaintiffs to protect their account and phone number. Even if the subject incident was due
`
`to an “inside” job or human performance falling short, T-Mobile is responsible for its
`
`agents. And, while T- Mobile can outsource customer service functions, T-Mobile cannot
`
`transfer accountability.
`
`
`
`15
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 16 of 25 PageID #: 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`43.
`
`Had T-Mobile provided adequate account security or exercised reasonable
`
`oversight, Plaintiffs would not have lost use and access to their phone number and its
`
`associated account information or otherwise been damaged.
`
`44.
`
`As a direct consequence of Defendant’s actions or inactions, Plaintiffs
`
`have suffered and continues to suffer actual damages, including: (a) lost time; (b)
`
`embarrassment and humiliation through negative press, among other things; (c)
`
`aggravation and frustration; (d) fear; (e) anxiety; (f) financial uncertainty and loss of
`
`business goodwill; (g) unease; (h) emotional distress, and (i) expenses, including missed
`
`work, delayed projects, and attorneys’ fees and costs, as well as the costs inherent in
`
`being deprived of one’s financial assets, such as the cost of not being able to sell those
`
`financial assets for cash at will to address Plaintiffs’ financial needs.
`
`COUNT I
`FEDERAL COMMUNICATIONS ACT
`
`45.
`
`Plaintiffs incorporate herein by reference the allegations above, inclusive,
`
`
`
`as though fully set forth herein.
`
`46.
`
`The FCA regulates interstate telecommunications carriers such as
`
`Defendants.
`
`47.
`
`Defendant T-Mobile is a common carrier engaged in interstate
`
`communication by wire for the purpose of furnishing communication services within the
`
`meaning of section 201(a) of the FCA. As “common carrier,” T-Mobile is subject to the
`
`substantive requirements of sections 201 through 222 of the FCA.
`
`48.
`
`Under section 201(b), common carriers may impose only those practices,
`
`classifications, and regulations that are “just and reasonable.” And, under section 202(a),
`
`
`
`16
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 17 of 25 PageID #: 17
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`common carriers are prohibited from making any unjust or unreasonable discrimination
`
`in “practices, classifications, regulations, facilities, or services.”
`
`49.
`
`Should a common carrier “omit to do any act, matter, or thing in this
`
`chapter required to be done,” section 206 dictates that the “common carrier shall be liable
`
`to the person or persons injured thereby for the full amount of damages sustained in
`
`consequence of any such violation ... together with a reasonable counsel or attorney's
`
`fee[.]”
`
`50.
`
`T-Mobile’s conduct, as alleged here, constitutes a knowing violation of
`
`section 201(b) and section 202(a). Further, under section 217, T-Mobile is also liable for
`
`the acts, omissions, or failures, as alleged in this Complaint, of any of its officers, agents,
`
`or other persons acting for or employed by Defendant.
`
`51.
`
`Additionally, T-Mobile is a “telecommunications carrier” within the
`
`meaning of section 222, which requires every telecommunication carrier to protect,
`
`among other things, the confidentiality of proprietary information of, and relating to,
`
`customers.
`
`52.
`
`T-Mobile violated its duty, under 47 U.S.C. § 222(a), by failing to protect
`
`the confidentiality of Plaintiffs’ proprietary information. T-Mobile violated 47 U.S.C. §
`
`222(c) by using, disclosing, and/or permitting access to Plaintiffs’ CPNI without the
`
`notice, consent, and/or legal authorization required under the FCA. T-Mobile also caused
`
`and/or permitted third parties to use, disclose, and/or permit access to Plaintiffs’ CPNI
`
`without the notice, consent, and/or legal authorization required under the FCA.
`
`
`
`17
`
`
`
`
`
`Case 1:20-cv-03276-NGG-RLM Document 1 Filed 07/21/20 Page 18 of 25 PageID #: 18
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`53.
`
`T-Mobile violated 47 U.S.C. § 222(c) by permitting an unauthorized party
`
`to access the CPNI, resulting in the theft, by that party or others associated with that
`
`party, of $8.7 million in cryptocurrency, as well as access to personal and financial
`
`information of Plaintiffs. In addition to this financial loss, this unauthorized third-party
`
`access and theft caused Mr. Middleton great distress and emotional harm.
`
`54.
`
`T-Mobile’s conduct, as alleged here, constitutes a knowing violation of
`
`section 222.
`
`55.
`
`As a direct consequence of Defendant’s violations of the FCA, Plaintiffs
`
`have been damaged and continue to be damaged in an amount to be proven at trial.
`
`COUNT II
`NEGLIGENCE
`Plaintiffs incorporate herein by reference the allegations above, inclusive,
`
`56.
`
`as though fully set forth herein.
`
`57.
`
`T-Mobile owed Plaintiffs a duty of, inter alia, care in the handling and
`
`safeguarding of Mr. Middleton’s customer account for the purposes of providing wireless
`
`services.
`
`58.
`
`T-Mobile owed a duty to Veritaseum to the extent Mr. Middletown
`
`maintained his T-Mobile account in his capacity as founder of Veritaseum and for the
`
`benefit of Veritaseum. T-Mobile breached the duty it owed to Veri