AT&T Sued for Negligence Surrounding Crypto SIM-Swapping Attacks Resulting in $1.8m Loss
A civil complaint was filed with the United States District Court for the Central District of California on Oct 17, suing US telco giant AT&T for allegedly allowing its employees to help malicious actors perform SIM-swapping hacks on AT&T subscribers, with one hack leading to a customer losing over $1.8m worth of digital currencies.
The victim of one of the attacks, and suitor in this case, Seth Shapiro claims that AT&T failed to implement systems and procedures to prevent its employees from being eligible to pull such an act, essentially calling it an ‘insider job’.
This action arises out of AT&T’s repeated failure to protect its wireless cell service subscriber—Seth Shapiro—from its own employees, resulting in massive and ongoing violations of Mr. Shapiro’s privacy, the compromise of his highly sensitive personal and financial information, and the theft of more than $1.8 million.
Many cryptocurrency exchanges and software wallets require users to 2FA, sometimes by using their mobile number as an authentication tool.
A typical SIM-swap attack essentially grants the malicious actor access to your mobile number, making sensitive information including SMS transparent to the malicious actor, while at the same time your phone appears to be ‘out of service’ during the attack.
In Shapiro’s case, AT&T employees not only shared his personal information with the hacker but actually knowingly profited from the unauthorized access that led to Shapiro’s loss of his life-savings.
The lawsuit is backed with previously reported details regarding nine AT&T employees subject to a criminal case filed by the US government. Among the suspects, AT&T employees Robert Jack and Jarratt White were the key names Shapiro focused on, claiming that both of them had relations with an unknown third-party, only identified as JD by the authorities.
The unknown party was allegedly paid Jack and White to swap the SIM card associated with Shapiro’s account to a phone JD had access to. The lawsuit goes on citing that JD compensated White and Jack with $4,300 and $585 USD respectively for swapping 29 and 12 (41 in total) unauthorized SIM cards for a profit, including Shapiro’s SIM.
Seth Shapiro, who is a two-time Emmy Award-winning media and tech expert, says that the stolen funds were generated from selling his parent’s house, from ventures in his new startup and from his life earnings which were meant to be safe and cold in a crypto wallet.
In his lawsuit, Shapiro is asking the court for financial damages, pointing out that AT&T violated privacy requirements applied to common-carrier phone companies under the communications act.
Furthermore, he accuses AT&T of violating the California unfair competition law by failing to disclose its inadequate security practices and by making material misrepresentations “concerning its sale of access to and safeguarding of Shapiro’s” personal data, saying AT&T is also guilty of negligence and of violating the US computer fraud and abuse act.
The 58-pages complaint overall expresses Shapiro’s rage against his personal data being abused by a company who promises to its users that it doesn’t sell personal information to third parties, firing a series of charges that make AT&T look like it has failed to establish a proper level of security means as its promises to AT&T subscribers.
SIM-swapping is not a new way of hacking into one’s personal intelligence, but it’s a relatively new way to steal cryptocurrencies from users who initially set up their mobile phone as a 2FA for stronger security.
While AT&T denies every allegation, historical data cannot be erased easily and it is most likely that Shapiro will finally manage to get his funds back one way or another.