.IS 44 (Rev. 10320)
`
`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 1 of 38
`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 1 of 38
`CIVIL COVER SHEET
`
`The .15 44 civil cover sheet and the infonnation contained herein neither replace nor supplement the filing and service of pleadings or other papers as required by law, except as
`provided by local rules ofeourt. This form, approved by the Judicial Conference of the United States in September l9‘i4, is required for the use of the Clerk of Court for the
`purpose of initiating the civil docket sheet.
`(SE-fl. {MWRUE‘TIONS 0N NEXTPAGE 0F THISFORM.)
`DEFENDANTS
`I. (a) PLAINTIFFS
`
`Richard Harris
`
`T-Mobile. USA, Inc., et al.
`
`Philadel hia PA
`(b) County of Residence of First Listed Plaintiff
`(EXCEPTI’N US. PIAINIW'WCASES)
`
`County of Residence of First Listed Defendant Bellevue Washington
`{in US. PLAINIIHGFC‘AAYLIE ONLY)
`IN LAND CONDEMNATION CASES, USE THE LOCATION OF
`THE TRACT OF LAND INVOLVED,
`
`NOTE:
`
`(c) Attorneys (rim Name. Address. and Teiophone Number)
`
`Attorneys (lfKnou-n)
`
`Law Offices of Kent Petry. i135 Mearns Road, #3387
`Warminster. PA 18974. Phone: 215-322-1084
`
`11. BASIS OF JURISDICTION (rim an or“ in One Box Oniy}
`Federal Question
` 3
`(US. Government Not a Party)
`
`|:| 1 us. Government
`PI ai nti f1"
`
`[Z
`
`III. CITIZENSHIP 0F PRINCIPAL PARTIES (Place an "X" in One Bambi" Morning?”
`{For Diversio» (Tam Orin»)
`and One Boxfar Defendant}
`PTF
`DEF
`PTF
`DE F
`
`Citizen of This State
`
`U 1
`
`CI
`
`1
`
`Incorporated or Principal Place
`ofBusincas In This Store
`
`a 4 El 4
`
`[I 2 US. Government
`Defendant
`
`[:1 4 Diversity
`(Indicate Citizenship ofi’amer in from if!)
`
`Citizen of Another State
`
`[1 2
`
`I] 2
`
`Incorporated and Principal Place
`of Business In Another State
`
`E] 5
`
`[j S
`
`Citizen or Subject ofa
`Forein Country
`
`|:| 3
`
`|:| 3
`
`Foreign Nation
`
`D c
`
`[:J 6
`
`
`PERSONAL INJURVr
`PERSONAL INJURYr
`I I0 Insurance
`
`I20 Marine
`I BIO Airplane
`D 365 Personal Injury -
`
`I 690 Other
`I30 Miller Act
`I 315 Airplane Product
`Product Liability
`I40 Negotiable Instrument
`Liabilityr
`|:| 36? Health Carei
`
`
`Phannaceuticnl
`150 Recovery ovaerpayment I 320 Assault, Libel &
`820 Copyrigh
`
`
`& Enforcement of Judgment
`Slander
`Personal injury
`I 430 Banks and Banking
`
`I 330 Federal Employers’
`830 Patent
`15 I Medicare Act
`Product Liability
`450 Commerce
`
`
`
`
`835 Patent - Abbreviated
`152 Recovery of Defaulted
`Liability
`[I 368 Asbestos Personal
`460 Deportation
`
`
`
`
`I 340 Marine
`Student Loans
`Injury Product
`New Drug Application
`470 Racketeer influenced and
`I 345 Marine Product
`(Excludes Veterans)
`Liability
`S40 Trademark
`Compt Organizations
`
`
`
`[:l 153 Recovery of Overpayment
`Liabiiily
`PERSONAL. PROPERTY
`880 Defend Trade Secrets
`4130 Consumer Credit
`
`
`
`
`
`
`I 350 Motor Vehicle
`Act of2016
`ofVeteran's Benefits
`3?!) Other Fraud
`[15 USC IGSI or 1692)
`
`
`
`I 355 Motor Vehicle
`Act
`[I 160 Stockholders’ Suits
`371 Truth in Lending
`485 Telephone Consumer
`
`
`I ’320 Laborr’Managernent mm Protection Act
`I90 Other Contract
`Product Liability
`380 Other Personal
`
`
`
`195 Contract Product Liability I 360 Other Personal
`Property Damage
`Relations
`861 HIA (1395ff)
`490 Cable’Sat TV
`
`
`
`
`
`
`
`
`
`862 Black Lung (923)
`I 1'40 Railway Labor Act
`196 Franchise
`injury
`I] 385 Property Damage
`850 Securitiesicommoditiesi
` I 362 Personal Injury -
`Product Liability
`I 751 Family and Medical
`863 Dlwciotww («resign
`Exchange
`
`Leave Act
`
`
`Medical Malpractice
`364 ssro Title xvr
`890 Other Statutory Actions
`
`
`365 R51 (405m))
`
`I 790 Other Labor Litigation
`891 Agricultural Acts
`
`
`
`
`
`
`893 Environmental Matters
`Haheas Corpus:
`I 791 Employee Retirement
`I 440 Other Civil Rights
`I ZIO Land Condemnation
`
`I 463 Alien Detainee
`895 Freedom of Information
`Income Security Act
`I 441 Voting
`D 220 Foreclosure
`ms: t .t'
`t
`: all «m
`
`
`
`
`
`
`
`Act
`I 510 Motions to Vacate
`'- 442 Employment
`230 Rent Lease & Ejectment
`870 Taxes (US. Plaintiff
`
`
`
`Sentence
`I 443 Housing}
`241) Torts to Land
`896 Arbitration
`or Defendant)
`
`
`I 530 General
`Accommodations
`245 Tort Product Liability
`899 Administrative Procedure
`
`
`E] an IRS—Third Party
`
`26 use 7609
`
`290 All Other Real Property I 445 Amer. wl'Disabiiities — I 535 Death Penalty
`Act-“Review or Appeal of
`
`
`Employment
`Other:
`Agency Decision
`I 462 Naturalization Application
`
`I 446 Amer. waisnbilities -
`I 540 Mandamus & Other
`
`950 Constitutionality of
`I 465 Other Immigration
`
`Other
`
`
`
`Actions
`State Statutes
`I 550 Civil Rights
`I 443 Education
`I 555 Prison Condition
`
`
`
`I 560 Civil Detainee -
`
`Conditions of
`
`
`Confinement
`
`
`
`
`
`
`
`D 3
`
`Remanded t'rol'n
`Appellate Court
`
`VI. CAUSE OF ACTION
`
`
`
`
`V. ORIGIN (Place an “X" in One But 0me
`I:I4 Reinstated or
`E I Original
`2 Removed from
`S Transferred from
`6 Multidistrict
`D 8 Multidistrict
`Reopened
`Proceeding
`State Court
`Another District
`Litigation -
`Litigation —
`(specify)
`Transfer
`Direct File
`
`
`Cite the US. Civil Statute under which you are filing {Do not citejurirrl‘icrr'ormtsramm rmim diversion:
` Federal Communications Act, 4? USE. §222
`
`Brief description of cause:
`
`Violation of the Federal Communications Act. 4? U,S.C. §222
`
` DEMAND 5
`VII. REQUESTED IN
`El CHECK IF THIS is A CLASS ACTION
`CHECK YES only if demanded in complaint:
`+150,000.DO
`COMPLAINT:
`UNDER RULE 23, F.R.CV.P.
`JURY DEMAND:
`Eras
`[I No
`—————___.___________________
`VIII. RELATED CASE(S)
`IF ANY
`
`(See im'irucrl'omj .-
`
`
`
`JUDGE
`
`DOCKET NUMBER
`DATE
`SIGNATURE OF
`NE‘r’ OF RECORD
`
`
`
`0?!06i2021
`
`FOR OFFICE USE ONLYI
`
`
`
`RECEIPT iii
`AMOUNT—_— APPLYING IFP
`
`—...___.
`JUDGE
`MAG. JUDGE——__—_
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 2 of 38
`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 2 of 38
`UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF PENNSYLVANIA
`
`DESIGNATION FOR}!
`(to be used by counsel orpno sophintifi'to indicate the mmgory qfthe comfor- rhepm'pose ofassignment to the appropriate eolmdar)
`Address Ofmmm clo Law Offices of Kent Petty, 1135 Meams Road #3387, Warminster, PA 18974
`
`12920 SE 38th Street, Bellevue, WA 98006
`
`Address ofDefendam;
`
`Place of Accident, Incident or Transaction:
`
`
`Philadelphia County
`
`RELA TED CASE, IF ANY.-
`
`Case Number:
`
`
`
`Judge:
`
`Date Temiinated:
`
`Civil cases are deemed related when Fee is answered to any of the following questions:
`
`1.
`
`Is this case related to property included in an eat-tier mannered suit pending or within one year
`previously terminated action in this court?
`
`Does this case involve the same issue offact or grow out of the same transaction as a prior suit
`pending or within one year previously terminated action in this court?
`
`Does this case involve the vaiidity or infi'ingement ofa patent already in suit or any earlier
`numbered case pending or within one year previously terminated action of this court?
`
`Yes D
`
`Yes D
`
`Yes D
`
`Is this case a second or successive habeas corpus. social security appeal. or pro se civil rights
`case filed by the same individual?
`
`Yes D No D
`
`I certify that. to my knowledge. the within case B ls l B Is not
`this court except as noted above.
`
`related to any ca
`
`now pending or within one year previously terminated action in
`
`me once/2021
`
`CIVIL: (Place :I s' in one category only)
`
`’-
`AI." {Pro Se Ptatnrw'
`'—
`
`207659
`Attorney to. # ('u'oppi't‘eabfo)
`
`Federal Question Cases.-
`
`.
`
`Dfi-ersiry Jurisdiction (our:
`
`wewmwnwswwrtwo
`
`Indemnity Contract. Marine Contract. and All Other Contracts
`FELA
`
`Jones Act-Personal Injury
`Antitrust
`Patent
`
`Labor-Management Relations
`Civil Rights
`Habeas Corpus
`Securities Act(s) Cases
`Sociai Security Review Cases
`All other Federai Question Cases
`(Plea-w 5min)
`4mg. §222_
`
`‘99“?49‘5‘5‘P’P!‘
`
`Insurance Contract and Other Contracts
`Airplane Personal Injury
`Assault. Defamation
`Marine Personal Injury
`Motor Vehicle Personal Injury
`Other Personal Injury {Please @9050!)
`Products Liability
`Products Liability — Asbestos
`Al} other Diversity Cases
`
`(Ham 52986109
`
`
`
`
`1.
`
`Kent Petty
`
`, counsel of record orpw se plaintifi’. do hereby certify:
`
`ARBITRATION CERTIFICATION
`
`(We qfibc! ofthir certification is to mom the eonfi-om cligfbilic-for arbitration.)
`
`Pursuant to Local Civil. Rule 53.2. § 3(c) (2). that to the best of my knowiedgc and belief. the damages recoverable in this civil action case
`exceed the sum of $150,000.00 exclusive of intetest and costs:
`D Reliefother than monetary damages is sought.
`
`
`DATE: 0710612021
`
`..
`
`207659
`Attorney LB. ii {ifapplicable)
`
`Cir. 609 {372018)
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 3 of 38
`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 3 of 38
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF PENNSYLVANIA
`
`CASE MANAGEMENT TRACK DESIGNATION FORM
`13mm) Haw s
`:
`CIVIL ACTION
`v.
`I
`
`TMOTSILQ, pail, M c;
`
`NO.
`
`In accordance with the Civil Justice Expense and Delay Reduction Plan of this court, counsel for
`plaintiff shall complete a Case Management Track Designation Form in all civil cases at the time of
`filing the complaint and serve a copy on all defendants. (See § 1:03 ofthe plan set forth on the reverse
`side of this form.)
`In the event that a defendant does not agree with the plaintiff regarding said
`designation, that defendant shall, with its first appearance, submit to the clerk of court and serve on
`the plaintiff and all other parties, a Case Management Track Designation Form specifying the track
`to which that defendant believes the case should be assigned.
`
`SELECT ONE OF THE FOLLOWING CASE MANAGEMENT TRACKS:
`
`(a) Habeas Corpus — Cases brought under 28 U.S.C. § 2241 through § 2255.
`(b) Social Security ~ Cases requesting review of a decision of the Secretary of Health
`and Human Services denying plaintiff Social Security Benefits.
`
`(c) Arbitration — Cases required to be designated for arbitration under Local Civil Rule 53.2.
`
`(d) Asbestos — Cases involving claims for personal injury or property damage from
`exposure to asbestos.
`
`(e) Special Management — Cases that do not fall into tracks (a) through (d) that are
`commonly referred to as complex and that need special or intense management by
`the court. (See reverse side of this form for a detailed explanation of special
`management cases.)
`(f) Standard Management — Cases that do not fall into any one ofthe other tracks.
`21222t #— 17%“?!a“
`
`(
`
`(
`
`(
`
`(
`
`)
`
`)
`
`)
`
`)
`
`(
`)
`(>31
`
`Date
`2:9322- )023
`T—elephone
`
`(Civ.66l]}10f02
`
`Attorney-at-law
`212’??? $553
`FAX Number
`
`
`Attorney for
`Ktnte gairylrw..u;[
`E-Mail Address
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 4 of 38
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF PENNSYLVANIA
`
`RICHARD HARRIS
`
`
`Plaintiff,
`
`
`v.
`
`T-MOBILE USA, INC.; DOES 1
`through 10, inclusive,
`
`
`Defendant(s).
`
`
`
`
` CIVIL ACTION
` No.:
`
` JURY TRIAL DEMANDED
`
`Plaintiff, Richard Harris (“Plaintiff”), by and through his undersigned counsel, complains
`
`COMPLAINT
`
`
`
`
`
`against Defendant T-Mobile USA, Inc. (“T-Mobile” or “Defendant”) and Does 1 through 10, as
`
`follows:
`
`I.
`
`INTRODUCTION
`
`1.
`
`This action arises out of T-Mobile’s systemic and repeated failures to protect and
`
`safeguard its customers’ highly sensitive personal and financial information against common,
`
`widely reported, and foreseeable attempts to illegally obtain such information.
`
`2.
`
`As a result of T-Mobile’s misconduct as alleged herein, including their gross
`
`negligence in protecting customer information, its negligent hiring and supervision of customer
`
`support personnel and its violations of federal and state laws designed to protect wireless service
`
`consumers, Plaintiff lost 1.63151657 bitcoin (“BTC”), with a current estimated value in excess of
`
`$55,000, due to an account takeover scheme (also known as a “SIM-swap”) which could not have
`
`occurred but for Defendants’ intentional actions and negligent practices, as well as their repeated
`
`failure to adhere to federal and state laws.
`
`
`
`
`
`1
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 5 of 38
`
`
`JURISDICTION AND VENUE
`
`II.
`
`3.
`
`This Court has jurisdiction of Plaintiff’s claims pursuant to 28 U.S.C. §§1331, as
`
`this case arises under federal statutes, such as the Federal Communications Act (“FCA”) at 47
`
`U.S.C. §222, the Stored Communications Act (“SCA”) at 18 U.S.C. §2701, and the Computer
`
`Fraud and Abuse Act (“CFAA”) at 18 U.S.C. §1030.
`
`4.
`
`This Court further has jurisdiction over this matter under 18 U.S.C. §1030(g), as
`
`this case arises under the Court’s federal question jurisdiction and monetary threshold
`
`requirements pursuant to the CFAA.
`
`5.
`
`Pursuant to the Court’s supplemental jurisdiction under 28 U.S.C. §1367, it may
`
`entertain the state law claims as they are derived from a common nucleus of operative facts.
`
`6.
`
`Furthermore, the Court has jurisdiction under 28 U.S.C. §1332 in that the amount
`
`in controversy exceeds $75,000.00 and Plaintiff and Defendant are citizens of different states.
`
`Plaintiff is a resident of Pennsylvania, and Defendant is a Delaware corporation with a principal
`
`place of business in the State of Washington.
`
`7.
`
`Jurisdiction is further proper in this court under the FCA pursuant to the terms of
`
`47 U.S.C. §207.
`
`8.
`
`Venue is proper in this District pursuant to 28 U.S.C. §1391(b)(1)-(3) upon
`
`information and belief, and because:
`
`a. Plaintiff is a resident of this District;
`
`b. The wrongful conduct was directed to and was undertaken within the territory
`
`of this District; and
`
`c. Defendant conducts a substantial portion of its business in this District.
`
`
`
`
`
`
`
`2
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 6 of 38
`
`III.
`
`PARTIES
`
`9.
`
`Plaintiff, Richard Harris, is a male citizen of the United States of America residing
`
`in the Commonwealth of Pennsylvania and within Philadelphia County.
`
`10.
`
`Defendant, T-Mobile, is a corporation formed under the laws of the State of
`
`Delaware, with headquarters and principal place of business in Bellevue, Washington, that serves
`
`as the American operating arm of T-Mobile International AG & Co., a corporate entity based in
`
`Germany.
`
`11.
`
`Plaintiff is unaware of the names and capacities of those defendants sued as Does
`
`1 through 10, but will seek leave to amend this complaint once their identities become known to
`
`Plaintiff. Upon information and belief, Plaintiff alleges that at all relevant times, each defendant,
`
`including the Doe defendants 1 through 10, was the officer, director, employee, agent,
`
`representative, alter ego, or co-conspirator of each of the other defendants, and in engaging in the
`
`conduct alleged herein was acting in the course and scope of and in furtherance of such a
`
`relationship.
`
`12.
`
`Unless otherwise specified, Plaintiff will refer to all defendants collectively as
`
`“Defendant” and each allegation pertains to each Defendant.
`
`13.
`
`At all times material hereto, Defendant acted and/or failed to act in person and/or
`
`through duly authorized agents, servants, workmen, and/or employees, acting within the scope and
`
`course of their authority and/or employment for and/or on behalf of Defendant.
`
`IV.
`
`A.
`
`14.
`
`FACTUAL BACKGROUND
`
`GENERAL BACKGROUND
`
`T-Mobile markets and sells wireless cellular phone service through standardized
`
`wireless service plans via various retail locations, online sales, and over the telephone.
`
`
`
`
`
`3
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 7 of 38
`
`15.
`
`T-Mobile maintains accounts for its wireless customers, enabling them to access
`
`information about the services they purchase from T-Mobile.
`
`16.
`
`It is widely recognized and has been widely publicized that mishandling of
`
`customer wireless accounts, including, but not limited to, allowing unauthorized access, can
`
`facilitate identity theft and related consumer harm.
`
`17.
`
`Numerous instances of mishandling of customer account information have
`
`occurred at T-Mobile.
`
`18.
`
`As one of the nation’s largest wireless carriers, T-Mobile’s operations must comply
`
`with various federal and state statutes, including (but not limited to) the Federal Communications
`
`Act ("FCA") 47 U.S.C. §222.
`
`19.
`
`The FCA obligates T-Mobile to protect the “confidential proprietary information
`
`of [its] customers” and “customer proprietary network information” (commonly referred to as
`
`“CPI” and “CPNI”, respectively). See 47 U.S.C. §222(a), (c).
`
`20.
`
`The Federal Communications Commission (“FCC”) has promulgated rules to
`
`implement Section 222 of the FCA “to ensure that telecommunications carriers establish effective
`
`safeguards to protect against unauthorized use or disclosure of CPNI.” 1998 CPNI Order, 13 FCC
`
`Rcd. at 8195 ¶193; see also 47 C.F.R. §64.2001 et seq. (“CPNI Rules”).
`
`21.
`
`The CPNI Rules limit disclosure and use of CPNI without customer approval to
`
`certain limited circumstances (such as cooperation with law enforcement), none of which are
`
`applicable to the facts here. See 47 C.F.R. §64.2005.
`
`22.
`
`The CPNI Rules also require carriers to implement safeguards to protect customers’
`
`CPNI. See 47 C.F.R. §64.2009(b), (d), and (e).
`
`
`
`
`
`4
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 8 of 38
`
`23.
`
`These safeguards include: (a) training personnel “as to when they are and are not
`
`authorized to use CPNI”; (b) establishing “a supervisory review process regarding carrier
`
`compliance with the rules”; and (c) filing annual compliance certificates with the FCC. Id.
`
`24.
`
`The CPNI Rules further require carriers to implement measures to prevent the
`
`disclosure of CPNI to unauthorized individuals. For example, “carriers must take reasonable
`
`measures to discover and protect against attempts to gain unauthorized access to CPNI.” See 47
`
`C.F.R. §64.2010(a).
`
`25.
`
`T-Mobile regularly holds itself out to the general public as a secure and reliable
`
`custodian of customer data, including customer’s confidential financial and personal information.
`
`26.
`
`T-Mobile maintains that it uses a variety of “administrative, technical, contractual,
`
`and physical safeguards” to protect customers’ data against “unlawful, or unauthorized destruction,
`
`loss, alteration, access, disclosure, or use while it is under our control.” See https://www.t-
`
`mobile.com/privacy-center/our-practices/privacy-policy, as of June 2, 2021.
`
`27.
`
`As an example, T-Mobile explicitly states that “when you contact us by phone or
`
`visit us in our stores, we have procedures in place to make sure that only the primary account
`
`holder or authorized users have access.” Id.
`
`28.
`
`Upon information and belief, T-Mobile’s sales and marketing materials make
`
`similar representations regarding T-Mobile’s alleged implementation of various safeguards to
`
`protect its customers’ private information (as required by statutes).
`
`29.
`
`Despite these assurances and other similar statements, T-Mobile failed to provide
`
`reasonable and appropriate security to prevent unauthorized access to customers’ accounts.
`
`30.
`
`For instance, upon information and belief, under the inadequate procedures (if any)
`
`implemented by T-Mobile, unauthorized persons, including T-Mobile’s own officers, agents, and
`
`
`
`
`
`5
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 9 of 38
`
`employees can authenticate, access, share, and make changes to customers’ information without
`
`customer permission.
`
`31.
`
`T-Mobile failed to disclose or made deceptive statements designed to cover up for
`
`the fact that it is aware that their security procedures can and do fall short of their expressed and
`
`implied representations and promises, as well as their statutory duties.
`
`32.
`
`Such failures, which lead to unauthorized access of customers’ information, were
`
`entirely foreseeable by T-Mobile.
`
`B.
`
`33.
`
`“SIM-SWAPPING” SCAM
`
`As T-Mobile is aware, various forms of account takeover fraud have been widely
`
`reported in the press, by government regulators (including the Federal Trade Commission (“FTC”)
`
`and the FCC), academic publications, and multiple lawsuits across the country.
`
`34.
`
`These illegal schemes involve criminals and fraudsters gaining access to or
`
`“hijacking” customer wireless accounts, which often include sensitive personal and financial
`
`information, to induce third parties to conduct transactions with individuals they believe to be
`
`legitimate or known to them.
`
`35.
`
`Sometimes these schemes are perpetrated by employees of the wireless carriers,
`
`such as T-Mobile.
`
`36.
`
`One of the most damaging and pervasive forms of account takeover fraud is known
`
`as a “SIM-Swap”, whereby a third-party (with the help of a wireless carrier like T-Mobile) is
`
`allowed to transfer access to a customer’s cellular phone number from the customer’s registered
`
`“subscriber identity module” card (or “SIM card”) – to a SIM card1 controlled by the third party.
`
`
`1 A SIM card is a small, removable chip that allows a cell phone to communicate with the wireless carrier and to
`know which subscriber is associated with that phone. The SIM card associated with a wireless phone can be
`changed, allowing customers to move their wireless number from one cell phone to another, and to continue
`
`
`
`
`
`6
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 10 of 38
`
`37.
`
`The wireless carrier, however, must effectuate the SIM card reassignment and,
`
`therefore, “SIM-swapping” is not an isolated criminal act, as it requires the wireless carrier’s active
`
`involvement to swap the SIM containing information regarding its customer to an unauthorized
`
`person’s phone.
`
`38.
`
`Indeed, unlike a direct hack of data, whereby a company like T-Mobile plays a
`
`more passive role, SIM-swaps are ultimately effectuated by the wireless carrier itself. For instance,
`
`in this case, it is T-Mobile that approved and allowed the SIM card change (without Plaintiff’s
`
`authorization), as well as all of the subsequent telecommunication activity that was used to access
`
`Plaintiff’s online accounts and cause the injuries suffered by Plaintiff.
`
`39.
`
`As such, by directly or indirectly exceeding the authorized access to customer
`
`accounts, wireless carriers such as T-Mobile may be liable under state and federal statutes, such
`
`as the Federal Communications Act (“FCA”).
`
`40.
`
`Once a third-party has access to the legitimate user’s SIM card data, it can then
`
`seamlessly impersonate that legitimate wireless customer (e.g., in communicating with others or
`
`contacting various vendors).
`
`41.
`
`A common target of SIM-swapping and account takeover fraud are individuals
`
`known, or expected, to hold cryptocurrency, because account information is often contained on
`
`users’ cellular phones, allowing criminals to transfer the legitimate user’s cryptocurrency to an
`
`account the third-party controls.2
`
`
`accessing their carrier network when they switch cell phones. The wireless carrier must effectuate the SIM card
`reassignment.
`2 Indeed, over the past year, T-Mobile has been subjected to multiple lawsuits, where as a result of SIM-swaps
`effectuated by T-Mobile, cryptocurrency holders have lost millions of dollars’ worth of cryptocurrency. See Kesler
`v. T-Mobile USA, Inc., 2:21-cv-02516-PBT (E.D.Pa.); Cheng v. T-Mobile USA, Inc., Docket No. 1:21-cv-01085
`(S.D.N.Y.); Middleton, et al v. T-Mobile USA, Inc., Docket No. 1:20-cv-03276 (E.D.N.Y.).
`
`
`
`
`
`7
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 11 of 38
`
`42.
`
`SIM-swaps are not a new unforeseeable phenomenon, but instead have been
`
`discussed by federal authorities and telecommunications companies since at least 2016.
`
`43.
`
`In June 2016, the FTC’s then Chief Technologist, herself a victim of an account
`
`takeover, recounted her experience and offered advice to wireless carriers to help consumers avoid
`
`these takeover attacks, stating:
`
`The mobile carriers are in a better position than their customers to
`prevent identity theft through mobile account hijacking and
`fraudulent new accounts. In fact, many of them are obligated to
`comply with the Red Flags Rule, which, among other things,
`requires them to have a written identity theft prevention program.
`
`Carriers should adopt a multi-level approach to authenticating both
`existing and new customers and require their own employees as well
`as third-party retailers to use it for all transactions…
`
`[M]obile carriers and third-party retailers need to be vigilant in their
`authentication practices to avoid putting their customers at risk of
`major financial loss and having email, social network, and other
`accounts compromised.3
`
`Attention in the media and by government regulators, however, did not ensure that
`
`44.
`
`wireless carriers like T-Mobile took security seriously enough to prevent account takeover
`
`accounts, and SIM-swapping schemes from increasing, or to convince themselves as a company
`
`to stop engaging in practices that were clearly violative of federal law.
`
`45.
`
`An empirical study conducted by researchers at Princeton University and
`
`publicized in early 2020 (the results of which were known to T-Mobile prior to publication)
`
`
`3 Lorrie Cranor, “Your mobile phone account could be hijacked by an identity thief,” Tech@FTC (June 7, 2016),
`available at https://www.ftc.gov/. Mrs. Cranor also detailed her concerns about SIM-swapping in her reply
`comments before the FCC in July 2016. See In the Matter of Protecting the Privacy of Customers of Broadband and
`Other Telecommunication Services, WC Docket No. 16-106 (July 6, 2016).
`
`
`
`
`
`8
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 12 of 38
`
`“identified weak authentication schemes and flawed policies” at several major wireless carriers in
`
`the United States, including T-Mobile.4
`
`46.
`
`The study further demonstrated that “these flaws enable[d] straightforward SIM
`
`swap attacks,” as the researchers succeeded in all ten of their attempts to effectuate a SIM-swap
`
`on T-Mobile accounts. Id.
`
`47.
`
`This study established a clearly known vulnerability of T-Mobile’s customer
`
`authentication process(es) (the use of recent call logs) that enabled criminals to easily secure access
`
`to the personal information of T-Mobile’s customers.
`
`48.
`
`Even before the results of the Princeton study were made available to T-Mobile,
`
`however, in May 2018, a popular information security blog, “Krebs on Security,” detailed several
`
`failures by T-Mobile to keep its customers’ data secure, including lack of adequate supervision of
`
`T-Mobile’s employees (one of whom perpetuated an account takeover scheme with knowledge of
`
`T-Mobile’s vulnerable internal systems), and failing to send legitimate customers notice to their
`
`personal e-mail when a SIM-swap occurs.5
`
`49.
`
`The article pointed out that T-Mobile “also acknowledged that it does not currently
`
`send customers an email to the email address on file when SIM swaps take place. A T-Mobile
`
`spokesperson said the company was considering changing the current policy, which sends the
`
`customer a text message to alert them about the SIM swap” to the phone number that is now in the
`
`third-party’s control. Id.
`
`
`4 Kevin Lee, et al., “An Empirical Study of Wireless Carrier Authentication for SIM Swaps,” Dept. of Comp. Sci.
`and Ctr. for Info. Tech. Policy, Princeton University (Jan. 10, 2020), pp. 2, 10 (discussing T-Mobile’s failures with
`respect to using call log verification based on the study’s research in January 2020).
`5 Brian Krebs, “T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account,” Krebs on
`Security (May 18, 2018), available at https://krebsonsecurity.com/.
`
`
`
`
`
`9
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 13 of 38
`
`50.
`
`As the blog’s author concluded with regard to sending a text to a phone number
`
`that is already hijacked, “obviously that does not help someone who is the target of a SIM swap.”
`
`Id.
`
`51.
`
`In a 2019 article about SIM-swapping that included multiple quotes from T-Mobile
`
`personnel, the New York Times reported that “[c]riminals have learned how to persuade mobile
`
`phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under
`
`their control.”6
`
`52.
`
`In February of 2020, the FCC issued a “Notice of Apparent Liability for Forfeiture
`
`and Admonishment,” proposing a penalty of $91,630,000.00 against T-Mobile for misuse of CPNI,
`
`where Commissioner Geoffrey Starks explained:
`
`Going forward, Americans must be able to place trust in their
`wireless carriers….[T]hese carriers know that the services they offer
`create risks for users: unauthorized location tracking, SIM hijacking,
`and billing scams to name just [a] few. Carriers must take
`responsibility for those people they allow into their operations.7
`
`Despite the massive amounts of media, governmental, and academic focus on the
`
`53.
`
`issue of SIM-swaps and the internal vulnerabilities of wireless carrier systems, T-Mobile has been
`
`unable or unwilling to institute the practices, procedures, and safeguards necessary to protect its
`
`customers’ data from account takeover and SIM-swap attacks.
`
`54. Most troubling, T-Mobile has not improved its safety protocols even though it
`
`knows from numerous incidents that some of its own employees actively cooperate with hackers
`
`in SIM-swap frauds by allowing direct access to customer information and/or by ignoring or
`
`overriding T-Mobile security procedures.
`
`
`6 Nathaniel Popper, “Hackers Hit Twitter C.E.O. in a ‘SIM-swap.’ You’re at Risk, Too,” New York Times
`(September 5, 2019).
`7 In the Matter of T-Mobile USA, Inc., File No. EB-TCD-18-00027702 (February 28, 2020).
`
`
`
`
`
`10
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 14 of 38
`
`55.
`
`The prevalence of SIM-swap fraud and T-Mobile’s knowledge of such fraud,
`
`including, but not limited to, that performed with the active participation of its own employees,
`
`demonstrate that what happened with Plaintiff’s account was neither an isolated incident nor an
`
`unforeseeable event.
`
`56.
`
`As a regulated wireless carrier, T-Mobile has a well-established duty – one which
`
`it freely acknowledges on its corporate website – to protect the security and privacy of CPI and
`
`CPNI from unauthorized access and T-Mobile is obligated to certify its compliance with this
`
`mandate to the FCC every year.8
`
`57.
`
`The FCA expressly restricts carriers like T-Mobile from unauthorized disclosure of
`
`CPNI.
`
`58.
`
`In light of the above, at the time of the events at issue in the present case, T-Mobile
`
`was keenly aware of its obligations, as well as multiple weaknesses in its internal processes and
`
`procedures to authenticate legitimate customers.
`
`59.
`
`Yet T-Mobile failed to prevent the “SIM-swap” in this case (and many others),
`
`causing Plaintiff to lose approximately 1.63151657 bitcoin (“BTC”), with a current estimated
`
`value in excess of $55,000.
`
`C.
`
`60.
`
`THE “SIM-SWAP” OF PLAINTIFF’S ACCOUNT
`
`In July of 2020, Plaintiff was a wireless customer of T-Mobile, and had placed an
`
`additional level of security onto his account through means of a PIN.
`
`61.
`
`At that time, Plaintiff was holding cryptocurrency for personal use and investment
`
`on Coinbase – a digital currency wallet and online platform to transfer and store digital currency
`
`– using Coinbase’s application on Plaintiff’s mobile phone, as well as on his computer.
`
`
`8 See, e.g., https://www.t-mobile.com/privacy-center/education-and-resources/cpni.
`
`
`
`
`
`11
`
`

`

`Case 2:21-cv-03006 Document 1 Filed 07/06/21 Page 15 of 38
`
`62.
`
`Plaintiff entrusted his sensitive private information, including, but not limited to,
`
`regarding his cryptocurrency holdings, to T-Mobile and reasonably relied on T-Mobile’s
`
`assurances of and its stated compliance with applicable laws, including (but not limited to) the
`
`FCA.
`
`63.
`
`Upon information and belief, including that ultimately provided by T-Mobile, on
`
`or around July 5th, 2020, unknown individual(s) visited a T-Mobile store in or around Miami,
`
`Florida, where T-Mobile agents allowed and provided that individual(s) unauthorized access to
`
`Plaintiff’s account and SIM data, including CPI and CPNI. Plaintiff’s data was then transferred
`
`(or “ported”) to another electronic device, and used to access Plaintiff’s information and
`
`telecommunications service.
`
`64.
`
`Upon information and belief, it is also possible that on or around the evening of
`
`July 5