`
`UNITED STATES DISTRICT COURT FOR THE
`SOUTHERN DISTRICT OF NEW YORK
`
`
`CALVIN CHENG,
`
`
`
`
`
`
`Plaintiff,
`
`
`
`– against –
`
`
`
`T-MOBILE USA, INC.,
`
`
`
`
`
`Defendant.
`
`
`Case No.: ________________
`
`
`COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`
`
`
`
`
`
`
`
`
`
`
`
`Plaintiff CALVIN CHENG (“Plaintiff”) by and through his attorneys, WILSON & CHAN,
`
`LLP, upon information and belief, complain and allege as follows against Defendant T-MOBILE
`
`USA, INC. (“T-Mobile”) as follows:
`
`
`
`1.
`
`NATURE OF THE CASE
`
`This action arises out of T-Mobile’s systemic and repeated failures to protect and
`
`safeguard its customers’ highly sensitive personal and financial information against common,
`
`widely reported, and foreseeable attempts to illegally obtain such information.
`
`2.
`
`As a result of T-Mobile’s gross negligence in protecting customer information,
`
`including its negligent hiring and supervision of customer support personnel and its violations
`
`of Federal laws designed to protect wireless service consumers, Plaintiff lost in excess of $450,000
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 2 of 32
`
`in cryptocurrency due to an account takeover scheme (also known as “SIM-swapping”) which
`
`could not have occurred but for T-Mobile’s negligent practices and its repeated failure to adhere
`
`to federal and state law.
`
`3.
`
`T-Mobile is one of the nation’s largest wireless carriers, having recently merged
`
`with Sprint and
`
`is governed by numerous federal statutes,
`
`including the Federal
`
`Communications Act (FCA).
`
`4.
`
`T-Mobile regularly holds itself out as a secure custodian of customer data,
`
`including customer financial and personal information.
`
`5.
`
`T-Mobile maintains that is uses a “variety of administrative, technical, procedural,
`
`contractual, and physical security measures” to protect customer data against “accidental,
`
`unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use while it is under
`
`our control.”1
`
`6.
`
`Moreover, T-Mobile states that it maintains “authentication procedures when
`
`[customers] contact us by phone or in retail locations to help ensure that access is provided only
`
`to the primary account holder or authorized users of the account.”2
`
`7.
`
`As T-Mobile is aware, SIM-swapping and other forms of account takeover fraud
`
`have been widely reported in the press and by government regulators, including the Federal
`
`Trade Commission (FTC) and the Federal Communications Commission (FCC), as well as by
`
`academic research teams.
`
`
`1 Available at https://www.t-mobile.com/privacy-center/our-practices/privacy-policy (last accessed Jan. 27,
`2021).
`
`2
`
` Id.
`
` 2
`
`
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 3 of 32
`
`8.
`
`Account takeover schemes involve criminals and fraudsters gaining access to or
`
`“hijacking” customer wireless accounts, which often include sensitive personal and financial
`
`information, to induce third parties to conduct transactions with individuals they believe to be
`
`legitimate or known to them.
`
`9.
`
`One of the most damaging and pervasive forms of account takeover fraud is “SIM-
`
`swapping” whereby a criminal third-party convinces a wireless carrier like T-Mobile to transfer
`
`access to one of its legitimate customers’ cellular phone number from the legitimate customer’s
`
`registered SIM-card – a small portable chip that houses identification information connecting an
`
`account to the wireless carrier’s network3 – to a SIM-card controlled by the criminal third-party.
`
`10.
`
`This sort of account takeover is not an isolated criminal act, per se, as it requires the
`
`wireless carrier’s active involvement to swap the SIM to an unauthorized person’s phone.
`
`11.
`
`As such, by directly or indirectly exceeding the authorized access to customer
`
`accounts, wireless carriers such as T-Mobile may be liable under the Computer Fraud and Abuse
`
`Act (CFAA).
`
`12.
`
`Unlike a direct hack of data where a company like T-Mobile plays a more passive
`
`role, SIM-swaps are ultimately actualized by the wireless carrier itself. It is T-Mobile, in this case,
`
`that effectuates the SIM card change. This action remains operative and in force when the victim’s
`
`
`3 A SIM (“subscriber identity module”) card is a small, removable chip that allows a cell phone to
`communicate with the wireless carrier and to know which subscriber is associated with that phone. The
`SIM card associated with a wireless phone can be changed, allowing customers to move their wireless
`number from one cell phone to another and to continue accessing their carrier network when they switch
`cell phones. The wireless carrier must effectuate the SIM card reassignment.
`
`
`
`
`3
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 4 of 32
`
`phone activity is used to hack other online accounts, extort the victim, or cause other foreseeable
`
`injuries, such as the one suffered by Plaintiff here.4
`
`13.
`
`Once the third-party has access to the legitimate user’s SIM-card data, it can
`
`seamlessly impersonate the legitimate wireless customer.
`
`14.
`
`A common target of SIM-swapping and account takeover fraud are individuals
`
`known to, or expected to, hold large quantities of cryptocurrency as account information is often
`
`contained on users’ cellular phones, allowing criminals to transfer the legitimate user’s
`
`cryptocurrency to an account the criminal controls.
`
`15.
`
`SIM-swapping is not a new unforeseeable phenomenon but, instead, has been
`
`discussed by federal agencies since at least 2016.
`
`16.
`
`In June 2016, the FTC’s Chief Technologist, herself the victim of an account
`
`takeover, recounted her experience and offered advice to wireless carriers to help consumers
`
`avoid these takeover attacks, stating:
`
`The mobile carriers are in a better position than their customers to prevent
`identity theft through mobile account hijacking and fraudulent new
`accounts. In fact, many of them are obligated to comply with the Red Flags
`Rule, which, among other things, requires them to have a written identity
`theft prevention program.
`
`Carriers should adopt a multi-level approach to authenticating both
`existing and new customers and require their own employees as well as
`third-party retailers to use it for all transactions …
`
`[M]obile carriers and third-party retailers need to be vigilant in their
`authentication practices to avoid putting their customers at risk of major
`
`4 Wireless carriers such as T-Mobile have superior knowledge of their own and their customers’ experience
`with SIM-swap attacks and can foresee identity theft and impersonation of their customers following their
`effectuating of the SIM change. That a criminal may act as an intervening agent does not break the sequence
`of causation where T-Mobile had reasonable ground to anticipate such injuries to third-parties such as
`Plaintiff.
`
`
`
`4
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 5 of 32
`
`financial loss and having email, social network, and other accounts
`compromised.5
`
`
`
`17.
`
`Attention in the media and by government regulators, however, did not ensure
`
`that wireless carriers like T-Mobile took security seriously enough to prevent account takeover
`
`accounts and SIM-swapping schemes from increasing or, worse, to convince themselves,
`
`company-wide, to stop engaging in practices that were clearly violative of federal law.
`
`18.
`
`An empirical study conducted by researchers at Princeton University in early 2020,
`
`the results of which were aware to T-Mobile prior to publication, concluded that they “identified
`
`weak authentication schemes and flawed policies” at several major wireless carriers in the United
`
`States, including T-Mobile.6
`
`19.
`
`The researchers also concluded that “these flaws enable straightforward SIM swap
`
`attacks.”7
`
`20.
`
`One particularly weak form of customer authentication used by T-Mobile – the use
`
`of recent call logs – was identified as a “severe vulnerability,” allowing criminals to authenticate
`
`a legitimate account by using information that can be manipulated without authentication.8
`
`
`5 “Your Mobile Phone Account Could be Hijacked by an Identity Thief,” L. Cranor, Tech@FTC blog (June 7, 2016);
`Ms. Cranor also detailed her concerns about SIM-swapping in her reply comments before the Federal
`Communications Commission in July 2016 (In the Matter of Protecting the Privacy of Customers of
`Broadband and Other Telecommunication Services; WC Docket No. 16-106; July 6, 2016).
`
` 6
`
` “An Empirical Study of Wireless Carrier Authentication for SIM Swaps,” K. Lee, et al., Dept. of Comp. Sci. and
`Ctr. for Info. Tech. Policy, Princeton University (Jan. 10, 2020), at p. 10; see also p. 2 (discussing T-Mobile’s
`discontinuation of call log verification based on the study’s research in January 2020).
`
` Id.
`
` Id. at p. 6.
`
`5
`
` 7
`
` 8
`
`
`
`
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 6 of 32
`
`21.
`
`Indeed, when notified by the researchers of this “severe vulnerability,” T-Mobile
`
`indicated that it would discontinue the use of call log verification in its customer authentication
`
`process in January 2020.
`
`22.
`
`But, this is just the latest “vulnerability” that has been called out in T-Mobile’s
`
`customer authentication process which, when flawed, enables criminals to easily secure access to
`
`the personal information of legitimate customers.
`
`23.
`
`In May 2018, a popular information security blog, Krebs on Security, detailed
`
`several failures by T-Mobile to keep its customers’ data secure, including failing to supervise its
`
`employees (one of whom perpetuated the account takeover scheme with knowledge of T-
`
`Mobile’s vulnerable internal systems) and failing to send legitimate customers notice to their
`
`personal e-mail when a SIM-swap occurs.9
`
`24.
`
`The article continued, “[T-Mobile] also acknowledged that it does not currently
`
`send customers an email to the email address on file when SIM swaps take place. A T-Mobile
`
`spokesperson said the company was considering changing the current policy, which sends the
`
`customer a text message to alert them about the SIM swap [to the phone number that is now in
`
`the criminal third-party’s control].” As the author concluded with regard to sending a text to the
`
`hijacked phone number, “obviously that does not help someone who is the target of a SIM
`
`swap.”10
`
`
`9 “T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account,” B. Krebs, Krebs on Security
`(May 18, 2018).
`
`10 Id.
`
`
`
`
`6
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 7 of 32
`
`25.
`
`As with the phone log verification vulnerability identified by Princeton
`
`researchers later, T-Mobile had already demonstrated a knowledge of multiple weaknesses in its
`
`internal processes and procedures to authenticate legitimate customers, admitting that such
`
`weaknesses must be eliminated, and such practices discontinued.
`
`26. When Twitter CEO Jack Dorsey became the victim of a SIM-swap attack in 2019,
`
`the issue took on an even higher profile, with outlets including the NEW YORK TIMES and CNBC
`
`running lengthy articles on the topic, often including quotes from T-Mobile spokespersons.11
`
`27.
`
`In February 2020, the FCC issued a “Notice of Apparent Liability for Forfeiture
`
`and Admonishment” against T-Mobile for apparently violating sections of the FCA governing
`
`the privacy of consumer information by disclosing such information to third-parties who were
`
`not authorized to receive it, finding, “even after highly publicized incidents put [T-Mobile] on
`
`notice that its safeguards for protecting [customer information] were inadequate, T-Mobile
`
`apparently continued sell access to its [customer information] for the better part of a year without
`
`putting in place reasonable safeguards – leaving its customers’ data at unreasonable risk of
`
`unauthorized disclosure.”12
`
`
`11 “Hackers Hit Twitter C.E.O. in a ‘SIM Swap.’ You’re at Risk, Too,” N. Popper, NEW YORK TIMES (Sept. 5, 2019)
`(quoting a security expert who stated “SIM swapping is proliferating, and it’s going to keep proliferating
`until companies deal with this. This is a known issue at this point. There is not really any excuse.”); see
`also “Here’s How the Recent Twitter Attacks Happened and Why They’re Becoming More Common,” A. Palmer,
`CNBC (noting that “As SIM hacks continue to rise, security advocates have called for carriers to do more
`to thwart the issue.”) (available at https://www.cnbc.com/2019/09/06/hack-of-jack-dorseys-twitter-account-
`highlights-sim-swapping-threat.html) (last accessed Jan. 27, 2021).
`
`12 In the Matter of T-Mobile USA, Inc., File No. EB-TCD-18-00027702 (Feb. 28, 2020).
`
`
`
`
`7
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 8 of 32
`
`28.
`
`In proposing a penalty of $91,630,000.00 against T-Mobile, the FCC concluded its
`
`decision by stating:
`
`Going forward, Americans must be able to place trust in their wireless
`carriers. I understand that operating businesses at the enormous scale of
`these companies means relying on third parties for certain services. But
`these carriers know that the services they offer create risks for users:
`unauthorized location tracking, SIM hijacking, and billing scams to name
`just [a] few. Carriers must take responsibility for those people they allow
`into their operations.13
`
`Despite the massive amounts of media, governmental, and academic focus on the
`
`29.
`
`issue of SIM-swapping and the internal vulnerabilities of wireless carrier systems, T-Mobile has
`
`been unable or unwilling to institute the practices, procedures, and safeguards necessary to
`
`protect its customers’ data from account takeover and SIM-swap attacks.14
`
`30.
`
`As a regulated wireless carrier, T-Mobile has a well-established duty – one which
`
`it freely acknowledges on its corporate website15 – to protect the security and privacy of its
`
`customers’ personal and financial information – referred to as CPNI in federal statutory
`
`language16 – from unauthorized access, which compliance with Federal law T-Mobile is required
`
`to certify annually to the FCC.17
`
`
`
`13 Id. at p. 43.
`
`14 Setting aside the numerous instances of account takeover fraud, T-Mobile’s track record on preventing
`data breaches of any kind is equally suspect, having announced at least four (4) separate data breaches in
`the last three (3) years, affecting millions of customers. When coupled with its merger partner, Sprint, the
`number of breaches is six (6) in the same time period. See https://threatpost.com/t-mobile-another-data-
`breach/162703/ (last accessed Jan. 27, 2021).
`
`15 See https://www.t-mobile.com/privacy-center/education-and-resources/cpni (last accessed Jan. 27, 2021).
`16 CPNI stands for Customer Proprietary Network Information.
`
`17 See https://www.t-mobile.com/privacy-center/education-and-resources/cpni (last accessed Jan. 27, 2021).
`
`
`
`8
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 9 of 32
`
`31.
`
`The FCA expressly restricts carriers like T-Mobile from unauthorized disclosure
`
`of CPNI.
`
`32.
`
`T-Mobile negligently failed to prevent the unauthorized disclosure of CPNI in this
`
`case, causing Plaintiff to suffer hundreds of thousands of dollars in damage.
`
`
`
`THE SIM-SWAP AT ISSUE
`
`33.
`
`Brandon Buchanan (“Buchanan”) is the co-founder and partner of Iterative
`
`Capital (“Iterative”), a hybrid investment fund focused on cryptocurrency trading and seed-stage
`
`venture investments.
`
`34.
`
`35.
`
`In May 2020, Buchanan was a wireless customer of T-Mobile.
`
`In the days leading up to May 17, 2020, Buchanan’s suffered a SIM-swap attack
`
`when third parties were able to access and, indeed, hijack Buchanan’s SIM data from T-Mobile,
`
`granting them full access to Buchanan’s CPNI and allowing the third parties to impersonate
`
`Buchanan in online forums and applications.
`
`36.
`
`T-Mobile customers like Buchanan, who is heavily involved in the cryptocurrency
`
`trade, are particularly susceptible to the attention of hackers in account takeover and SIM-swap
`
`attacks.
`
`37.
`
`T-Mobile allowed third parties other than Buchanan unauthorized access to
`
`Buchanan’s SIM data in violation of Federal law.
`
`38.
`
`Plaintiff is a customer of Iterative.
`
`
`
`
`
`
`
`9
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 10 of 32
`
`39.
`
`Iterative administered a cryptocurrency exchange where its customers could buy
`
`and sell cryptocurrencies, including Bitcoin.
`
`40.
`
`Plaintiff performed several successful transactions with Iterative to purchase
`
`Bitcoin in the months leading up to May 2020.
`
`41.
`
`The transactions were coordinated through a mobile application (“app”) called
`
`Telegram, an encrypted cloud-based instant messaging software.
`
`42.
`
`As of January 2021, Telegram had an estimated 500,000 monthly active users
`
`worldwide, with accounts tied to cellular telephone numbers which are verified by text message
`
`to those telephone numbers.
`
`43.
`
`If an unauthorized third-party gains access to a Telegram account holder’s SIM
`
`data, it can easily access that user’s Telegram account and hijack that user’s identity in messages
`
`with other Telegram account users.
`
`44.
`
`Plaintiff maintained a Telegram account to perform the cryptocurrency
`
`transactions with Iterative.
`
`45.
`
`Buchanan was a member of Telegram group chat room used by Plaintiff to conduct
`
`transactions with Iterative.
`
`46.
`
`Plaintiff was aware Buchanan was a member of the Telegram group chat room
`
`used to conduct the cryptocurrency trades.
`
`47.
`
`48.
`
`Plaintiff knew Buchanan to be a principal of Iterative.
`
`Another member of Iterative, Wei Lin (“Wei”), was also a member of the same
`
`Telegram group chat room used by Plaintiff and Iterative to conduct the cryptocurrency exchange
`
`transactions.
`
`
`
`10
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 11 of 32
`
`49.
`
`50.
`
`Plaintiff knew Wei to be a representative of Iterative.
`
`Plaintiff was aware Wei was a member of the Telegram group chat room used to
`
`conduct the cryptocurrency trades.
`
`51.
`
`After securing access to Buchanan’s data from T-Mobile, the hackers compromised
`
`Buchanan’s Telegram account.
`
`52.
`
`After securing access to Buchanan’s data from T-Mobile, the hackers impersonated
`
`Buchanan by sending a Telegram message to Plaintiff, inquiring whether Plaintiff wanted to sell
`
`any Bitcoin for an Iterative client at a premium (i.e., above market value) on or about May 17,
`
`2020 at 7:31 p.m.
`
`53. When Plaintiff inquired further, the hackers stated under the Telegram username
`
`“Brandon B. [Iterative Capital]” that “I’m a partner & Co-founder at Iterative capital, I believe
`
`you’ve done a buy with Wei before, check our Groups in common.”
`
`54.
`
`Believing the proposed transaction to be a legitimate trade with a principal of
`
`Iterative, Plaintiff sent fifteen (15) Bitcoin to a digital wallet he believed to be controlled by
`
`Buchanan and/or Iterative, expecting U.S. dollars in return to an account controlled by Plaintiff.
`
`55.
`
`Plaintiff did not receive any money in return for the fifteen (15) Bitcoin he sent via
`
`the Telegram app to the party he thought was Buchanan.
`
`56.
`
`The record of the May 17, 2020 transaction and communications between Plaintiff
`
`and the third parties Plaintiff believed to be Buchanan were deleted thereafter from the Telegram
`
`app.
`
`
`
`11
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 12 of 32
`
`57.
`
`On May 19, 2020, Buchanan sent an email to Iterative’s exchange clients informing
`
`them that several of his accounts were compromised “as a result of a SIM-swap attack that
`
`enabled a hacker to assume my identity” and to make trades on behalf of Iterative.
`
`58.
`
`Buchanan alerted local law enforcement (New York Police Department)
`
`authorities, as well as the Federal Bureau of Investigation (FBI).
`
`59.
`
`The investigation into the identity of the third parties who gained access to
`
`Buchanan’s SIM data from T-Mobile is ongoing.
`
`60.
`
`61.
`
`Plaintiff, likewise, filed complaints with the same law enforcement agencies.
`
`Upon information and belief, Buchanan attempted to intercede directly with T-
`
`Mobile to obtain a refund on behalf of Plaintiff.
`
`62.
`
`Upon information and belief, T-Mobile did not offer to compensate Buchanan or
`
`Plaintiff in any way, despite the clear violation of federal and state law and its negligence in
`
`securing Buchanan’s CPNI, which violations of law and duty cost Plaintiff hundreds of thousands
`
`of dollars in losses.
`
`63.
`
`Upon information and belief, T-Mobile, despite a legal obligation to do so, abjectly
`
`failed in its duty to safeguard its customers’ personal and financial information by providing
`
`unauthorized access to Buchanan’s CPNI.
`
`64.
`
`Upon information and belief, T-Mobile failed to implement and/or maintain
`
`security policies and procedures sufficient to protect the unauthorized access to Buchanan’s
`
`CPNI.
`
`65.
`
`Upon information and belief, T-Mobile failed to properly train and supervise its
`
`employees to prevent the unauthorized access to Buchanan’s CPNI.
`
`
`
`12
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 13 of 32
`
`66.
`
`Upon information and belief, T-Mobile could have reasonably foreseen the
`
`consequences of failing in its duty to implement, maintain, and execute sufficient security policies
`
`and practices to protect the unauthorized access to customer data, including that of Buchanan.
`
`67.
`
`Upon information and belief, T-Mobile’s systems, policies, and procedures allow
`
`its officers, agents, and employees to exceed the authorized access to its customer accounts
`
`without justification in violation of the CFAA.
`
`68.
`
`T-Mobile’s actions and inaction demonstrate a reckless disregard for the rights of
`
`its customers and those with whom its customers deal (i.e., foreseeable victims).
`
`69.
`
`T-Mobile’s actions and inaction demonstrate a reckless disregard for its
`
`obligations, responsibilities, and duties under the law.
`
`70.
`
`But for T-Mobile’s reckless disregard of its obligations, Plaintiff would not have
`
`been damaged.
`
`71.
`
`The damage suffered by Plaintiff is fairly traceable to the wrongful conduct of T-
`
`Mobile in allowing the unauthorized access to Buchanan’s wireless account.
`
`
`
`JURISDICTION AND VENUE
`
`This Court has jurisdiction over this matter under 28 U.S.C. §1331 as this case
`
`72.
`
`arises under the Court’s federal question jurisdiction pursuant to the Federal Communications
`
`Act (“FCA”).
`
`
`
`13
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 14 of 32
`
`73.
`
`This Court has jurisdiction over this matter under 18 U.S.C. §1030(g) as this case
`
`arises under the Court’s federal question jurisdiction and monetary threshold requirements
`
`pursuant to the Computer Fraud and Abuse Act (“CFAA”).
`
`74.
`
`Pursuant to the Court’s supplemental jurisdiction under 28 U.S.C. §1367, it may
`
`entertain the state law claims as they are derived from a common nucleus of operative facts.
`
`75.
`
`Further, the Court has jurisdiction under 28 U.S.C. §1332 in that the amount in
`
`controversy exceeds $75,000.00 and Plaintiff and Defendant are citizens of different states.
`
`Plaintiff is a resident of the State of California, and Defendant is a Delaware corporation with a
`
`principal place of business in the State of Washington.
`
`76.
`
`Venue is proper in this Court under 28 U.S.C. §1391(b)(2), §1391(b)(3), §1391(c)(2),
`
`and §1391(d) as a substantial part of the events or omissions giving rise to this complaint occurred
`
`in this District. Buchanan is a resident of the State of New York, Iterative maintains a principal
`
`place of business in the State of New York, and Buchanan utilized the T-Mobile wireless services
`
`in the State of New York, including the use of a New York area code.
`
`77.
`
`Upon information and belief, as a resident of New York, Buchanan contracted with
`
`T-Mobile to provide wireless carrier services in the State of New York, including the data security
`
`protections against unauthorized disclosure by T-Mobile of Buchanan’s data, as required by
`
`federal law. As such, T-Mobile’s failure to protect Buchanan’s CPNI against unauthorized access,
`
`causing Plaintiff damage, is central to the claims of this complaint.
`
`78.
`
`As a customer of Iterative, a New York-based company, Plaintiff conducted trades
`
`through the platforms maintained by Iterative and, additionally, signing a contract governing
`
`such trades.
`
`
`
`14
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 15 of 32
`
`79.
`
`The investigation into the fraudulent trade is currently being led by the New York
`
`Police Department’s Financial Crimes Task Force (Det. A. Napoli) in conjunction with the U.S.
`
`Department of Homeland Security, Dark Web & Crypto Currency Group – TFO.
`
`80.
`
`Upon information and belief, the necessary witnesses, including Buchanan, Wei,
`
`and Iterative, are resident in the State of New York.
`
`
`
`81.
`
`82.
`
`PARTIES
`
`Plaintiff is a citizen of the United States and a resident of the State of California.
`
`T-Mobile is a corporation formed under the laws of the State of Delaware and
`
`serves as the American operating company of T-Mobile International AG. & Co., a corporation
`
`based in Germany. T-Mobile maintains its headquarters and principal place of business in
`
`Bellevue, Washington.
`
`83.
`
`The practices and acts of T-Mobile, as alleged herein, are “charges, practices,
`
`classifications, and regulations” by a common carrier engaged in interstate commerce as set forth
`
`in the FCA.
`
`
`
`FACTS AND ALLEGATIONS COMMON TO ALL CLAIMS
`
`84.
`
`T-Mobile markets and sells wireless cellular phone service through standardized
`
`wireless service plans via various retail locations, online sales, and over the telephone.
`
`85.
`
`T-Mobile maintains accounts for its wireless customers, enabling them to access
`
`information about the services they purchase from T-Mobile.
`
`
`
`15
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 16 of 32
`
`86.
`
`It is widely recognized and has been widely publicized that mishandling of
`
`customer wireless accounts, including but not limited to allowing unauthorized access, can
`
`facilitate identity theft and related consumer harm.
`
`87.
`
`Instances of mishandling of customer account information have occurred on
`
`numerous occasions at T-Mobile.
`
`88.
`
`T-Mobile’s Privacy Policy states, in pertinent part: “We use a variety of
`
`administrative, technical, and physical security measures designed to protect your personal data
`
`against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or
`
`use while it is under our control. We maintain authentication procedures when you contact us
`
`by phone or in retail locations to help ensure that access is provided only to the primary account
`
`holder or authorized users of the account. Online access to your personal data is protected
`
`through passwords and other safeguards.”
`
`89.
`
`T-Mobile’s sales and marketing materials state, inter alia, “We have implemented
`
`various policies and measures to ensure that our interactions are with you or those you authorize
`
`to interact with us on your behalf – and not with others pretending to be you or claiming a right
`
`to access your information.”
`
`90.
`
`T-Mobile’s sales and marketing materials also state that, unless T-Mobile can
`
`verify the caller’s identity through certain personal information or a PIN requested by the
`
`customer, T-Mobile’s policy is not to release any account specific information.
`
`91.
`
`Despite these statements and other similar statements and promises, T-Mobile
`
`failed to provide reasonable and appropriate security to prevent unauthorized access to customer
`
`accounts.
`
`
`
`16
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 17 of 32
`
`92.
`
`Under the inadequate procedures implemented by T-Mobile, unauthorized
`
`persons, including T-Mobile’s own officers, agents, and employees, acting without customer
`
`permission, can authenticate, access, and make changes to information to customer information.
`
`93.
`
`T-Mobile failed to disclose or made deceptive statements designed to cover up for
`
`the act that its security procedures can and do fall short of its expressed and implied
`
`representations and promises.
`
`94.
`
`Such failures leading to unauthorized access of customer information were
`
`entirely foreseeable by T-Mobile.
`
`95.
`
`96.
`
`Buchanan entered into a contract with T-Mobile for wireless cellular service.
`
`On or about May 17, 2020, T-Mobile allowed an unauthorized person to access
`
`Buchanan’s T-Mobile account.
`
`97.
`
`Thereafter, the unauthorized person was able to gain access to Buchanan’s phone-
`
`based applications, including Telegram.
`
`98.
`
`The unauthorized person was able to impersonate Buchanan and engage in
`
`transactions with third parties, including Plaintiff.
`
`99.
`
`Plaintiff lost fifteen (15) Bitcoin because of his belief he was doing business with
`
`Buchanan, a loss in excess of $450,000.00.
`
`100. Had T-Mobile not allowed the unauthorized access to Buchanan’s account,
`
`Plaintiff would not have suffered his loss.
`
`101.
`
`T-Mobile, by its inadequate procedures, practices, and regulations, engages in
`
`practices which, taken together, fail to provide reasonable, appropriate, and sufficient security to
`
`
`
`17
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 18 of 32
`
`prevent unauthorized access to its customers’ wireless accounts, allowing unauthorized persons
`
`to be authenticated, and granting access to sensitive customer account information.
`
`102.
`
`In particular, T-Mobile failed to establish and implement reasonable policies,
`
`procedures, and safeguards governing the creation, access, and authentication of user credentials
`
`to access customer accounts, creating an unreasonable risk of unauthorized access.
`
`103. As such, in violation of federal law, T-Mobile has failed to ensure that only
`
`authorized persons have access to customer account data and that customer CPNI is secure.
`
`104. Among other things, T-Mobile:
`
`a. Failed to establish and enforce rules and procedures sufficient to ensure
`
`only authorized persons have access to T-Mobile customer accounts;
`
`b. Failed to establish appropriate rules, policies, and procedures for the
`
`supervision and control of its officers, agents, and employees;
`
`c. Failed to establish and enforce rules and procedures, or provide adequate
`
`supervisions or training sufficient to ensure that its employees and agents
`
`follow such rules and procedures, to restrict access by unauthorized
`
`persons;
`
`d. Failed to establish and enforce rules and procedures to ensure T-Mobile’s
`
`employees and agents adhere to the security instructions of customers with
`
`regard to accessing customer accounts;
`
`e. Failed to adequately safeguard and protect its customers’ wireless
`
`accounts;
`
`
`
`18
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 19 of 32
`
`f. Permitted the sharing of and access to user credentials among T-Mobile’s
`
`agents or employees without a pending request from the customer,
`
`reducing the likely detection of and accountability for unauthorized access;
`
`g. Failed to appropriately supervise employees and agents who granted
`
`unauthorized access to customer accounts;
`
`h. Failed to adequately train and supervise its employees, officers, and agents
`
`to prevent the unauthorized access to customer accounts;
`
`i. Failed to prevent the ability of employees, officers, and agents to access
`
`and make changes to customer accounts without specific customer
`
`authorization;
`
`j. Allowed porting out of cell phone numbers without properly confirming
`
`that the request was coming from legitimate customers;
`
`k. Lacked proper monitoring solutions and therefore failed to monitor its
`
`systems for the presence of unauthorized access in a manner that would
`
`allow T-Mobile to detect intrusions, breaches of security, and unauthorized
`
`access to customer information;
`
`l. Failed to implement and maintain readily available best practices to
`
`safeguard customer information; and
`
`m. Failed to implement and maintain internal controls to help protect against
`
`account takeovers and SIM-swapping by unauthorized persons.
`
`
`
`19
`
`
`
`Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 20 of 32
`
`105. Due to the inadequate security measures, policies, and safeguards employed by T-
`
`Mobile, it created an unreasonable risk of unauthorized access to the accounts of its customers,
`
`including that of Buchanan.
`
`106. Upon information and belief, T-Mobile