Mr. Terpin v. AT&T

Terpin v. AT&T Inc., AT&T Mobility, LLC, and DOES 1–25

One of the biggest news stories of the week was Michael Terpin (“Mr. Terpin”) suing AT&T after getting his sim-card hijacked. These types of hacks through the phone company are not a new phenomenon, but certainly, at $24 million, this is the biggest to date. Mr. Terpin has a PR Firm, Transform, and has worked with many crypto and tech companies, including Marketwire, SocialRadius, BitAngels, Bitcoin Syndicate and CoinAgenda. See https://medium.com/@Finom.io/famous-people-in-the-world-of-cryptocurrency-77b8aafbf234

His lawsuit is for $224 Million, includes hefty punitive damages in addition to the $24 million in compensatory damages. He hired the decorated trial attorney Pierce O’Donnell of Greenberg Glusker, who has been called one of the “100 Most Influential Lawyers in America by The National Law Journal, as one of “California’s Top Entertainment Lawyers” by the Daily Journal, and “MVP of the Year” by Law360. See https://www.greenbergglusker.com/pierce-odonnell/

In the Complaint, it says that Mr. Terpin was victimized by not one, but two hacks over the past seven months. An imposter went into AT&T pretending to be Mr. Terpin and gained access to his phone when the employee ported the number. The AT&T store employee failed to demand ID, making it seem suspicious that they may have been a paid cooperater in cahoots with the hacker. See Complaint, ¶ 8. https://www.documentcloud.org/documents/4758101-Terpin-v-Att.html.

The Complaint goes on to compare the employee’s act of giving access to his phone to a hotel front-desk staff giving a thief someone’s room card and a key to their safe. See Complaint, ¶ 10.

SIM CARD HACKS:

The Complaint also alleges that AT&T customers have been the subjects of more privacy violations than any other phone company. In fact, the Electronic Frontier Foundation recently called out AT&T’s hypocrisy in their “Internet Bill of Rights” when in fact, “few companies have done more to combat privacy and network neutrality than AT&T.” See Complaint, ¶ 18 (citing https://www.eff.org/deeplinks/2018/-1-hypocrisy-atts-internet-billl-rights).

As a common carrier, AT&T has a duty to protect customer proprietary network information (“CPNI”) and confidential and personal information under the Section 222 of the FCA, 47 U.S.C. § 222. “Phone companies have to have effective safeguards to protect against unauthorized use or disclosure of CPNI. “See Complaint, ¶ 26 (citing 47 CFR § 64.2001 et seq. (“SPNI Rules”). The rules limit what AT&T can disclose to a third party without first getting customer approval, with the exception of law enforcement.

On April 8, 2015 the FCC fined AT&T $25 million for violating these privacy rules, and handing CPNI data of over 280,000 customers to thieves. See Complaint, ¶ 32. The investigation showed that AT&T call center employees were giving out names, phone numbers and social security numbers to unauthorized third parties, who used this information to gain access to unlock codes for cell phones. It also came out that criminals were often paying these employees. See Complaint, ¶ 34. Now AT&T has heightened reporting requirements, where it must disclose any breaches to the FCC within 15 days of discovery. See Complaint, ¶ 43.

The complaint quoted a Motherboard article that said, “SIM swapping consists of tricking a provider like AT&T or T-Mobile into transferring the target’s phone number to a SIM card controlled by the criminal. Once they get the phone number, fraudsters can leverage it to reset the victims’ passwords and break into their online accounts (cryptocurrency accounts are common targets.) In some cases, this works even if the accounts are protected by two-factor authentication. This kind of attack, also known as “port out scam,” is relatively easy to pull off and has become widespread.” See https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping.

Mr. Terpin alleges that AT&T should have been protected against this type of hacking since they were well aware of the risk and that AT&T should have known its employees were cooperating with criminals. There is no internal procedure to safeguard against the employee porting the phone number; they have the ability to override the passcode. Once the passcode is changed over, the number can be easily ported. See Complaint, ¶ 57. Apparently, much information on this type of hack came to light after a Michigan mother called the police on her son who she overheard talking on the phone pretending to be an AT&T customer service agent. See Complaint, ¶ 59.

THE JUNE 11, 2017 HACK:

Mr. Terpin’s phone became suddenly inoperable and he learned from AT&T a few days later that his password had been changed remotely after 11 attempts in AT&T stores had failed. The hackers scoured his personal information including phone calls and text messages to get access to his crypto accounts. They stole his identity on his Skype account, and convinced one of Mr. Terpin’s clients to send them the payment. Finally AT&T cut off the hacker’s access. He notified AT&T that the hacker had stolen a substantial amount of money and AT&T agreed to put enhanced security protections on his account. See Complaint, ¶ 69.

THE JANUARY 7, 2018 HACK:

Mr. Terpin’s phone went dead again, and an employee at an AT&T store in Connecticut ported his wireless number to an imposter in violation of AT&T’s commitment to use enhanced security. The hackers stole nearly $24 million worth of cryptocurrency. He immediately called AT&T to cancel the account, but the employees were too slow, they kept his wife on the line for over an hour in attempt to contact the fraud department, which does not operate on Sundays. See Complaint, ¶ 73. The employee who ported his number to the hacker had to see the warnings on the screen stating a need for heightened vigilance and requiring a six-digit password.

CLAIMS FOR RELIEF AGAINST AT&T

The first claim focuses on the unenforceability of AT&T Consumer Agreement as Unconscionable and Contrary to Public Policy — the Complaint beautifully goes through AT&T’s standard user agreement and points out the gross negligence that AT&T disclaims all of its responsibilities to the customers. Some of the more egregious language is pointed out, such as:

WE DO NOT GUARANTEE YOU UNINTERRUPTED SERVICE OR COVERAGE. . . . AT&T MAKES NO WARRANTY, EXPRESS OR IMPLIED, OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, SUITABILITY, ACCURACY, SECURITY OR PERFORMANCE REGARDING ANY SERVICES, SOFTWARE OR GOODS, AND IN NO EVENT SHALL AT&T BE LIABLE WHETHER OR NOT DUE TO ITS OWN NEGLIGENCE, FOR ANY:

a) Act or omission of a third party;

b) Mistakes, omissions, interruptions, errors, failures to transmit, delays, or defects in the Services or Software provided by or through us;

c) Damages or injury caused by the use of Services, Software, or Device, including use in a vehicle…

See Complaint, ¶ 94.

Mr. Terpin also alleges that the agreement is unenforceable because it is tainted with illegality so that the contract as a whole cannot be enforced.” Therefore, the arbitration section should also be unenforceable. See Complaint, ¶ 96.

The second claim for relief is based on the unauthorized disclosure of Customer Confidential Proprietary Information and Proprietary Network Information (Federal Communications Act, 47 U.S.C. §§ 206, 222). It basically says a common carrier is liable to anyone they injure for the full amount of damages sustained along with reasonable attorney’s fees. See Complaint, ¶ 108.

The third claim is for assisting unlawful access to a computer under California Penal Code § 502 et seq. This was allegedly violated when AT&T handed over Mr. Terpin’s personal information after already being put on notice that his information was vulnerable for attack, and failing to use the six-digit passcode. See Complaint, ¶ 116.

The fourth, fifth & sixth claims focus on AT&T’s violation of California’s Unfair Competition Law and Unlawful business practices. Because AT&T purported it had implemented technology and security features when it failed to do so, Mr. Terpin should be entitled to restitution, disgorgement of wrongfully obtained profits, and injunctive relief. AT&T violated its commitment to maintain the confidentiality and security of Mr. Terpin’s confidential information and violated the industry standards relating to data security. See Complaint, ¶ 140. Additionally, AT&T allegedly engaged in fraudulent business practices by stating Mr. Terpin’s information was safe when they knew it wasn’t. See Complaint, ¶ 146.

The seventh claim is for a violation of California Consumer Legal Remedies Act (“CLRAJ”), where AT&T used unfair methods of competition and unfair or deceptive acts or practices intended to result in the sale or lease of goods or services to any consumer. It’s also illegal to represent that goods have certain characteristics which they don’t have or to represent that goods or services are of a particular quality if they are not. Basically, AT&T told Mr. Terpin that he was getting a secure service, and that was a big lie, and therefore, a violation of the CLRA. See Complaint, ¶ 156.

The eighth claim is of direct concealment because AT&T knew its data security measures were grossly inadequate and that its employees could easily bypass the procedures to cooperate with hackers, but did nothing to protect its clients. See Complaint, ¶ 176.

The remaining claims are for misrepresentation, negligence, negligent supervision and training, negligent hiring, breach of contract — focusing on the privacy policy, breach of implied contracts, breach of the covenant of Good Faith and Fair Dealings, violation of California’s Customer Records Act — Inadequate Security.

PRAYER FOR RELIEF

Mr. Terpin demands judgment against the AT&T for:

1. general damages in the amount of $24 million

2. punitive damages for nine times the amount of general damages ($216 million)

3. Preliminary injunctive relief restraining AT&T from continuing to engage in unfair competition, unfair practices, violation of privacy, and other actions;

4. For a declaration that the Agreement in its entirety is unenforceable as unconscionable and against public policy (or at least that the damages resolution and indemnity against Mr. Terpin are unenforceable)

5. Attorney’s fees

6. Restitution, disgorgement of wrongfully obtained profits and injunctive relief;

7. A declaration that AT&T’s conduct violated the California Legal Remedies Act; and

8. For interest and costs of suit and such other further relief as the Court deems just and proper.

CONCLUSION

I really hope he wins and AT&T and all the other companies where this type of hack is taking place are forced to improve their security. It’s interesting to see how much responsibility companies like this avoid through the words in their Service Agreements that customers have no chance to negotiate. The overall lesson, keep your Bitcoin in cold storage.