AT&T faces a new $1.8 million lawsuit after a subscriber says his identity—and life savings—were stolen courtesy of a SIM swapping hack. It’s the latest in a series of lawsuits attempting to hold carriers accountable for failing to prevent the attacks.
As previous Motherboard investigations have detailed, SIM hijacking (or SIM swapping) involves a hacker bribing or conning a wireless carrier employee to port out a user’s phone number right out from under them. Using the stolen phone number, attackers can do anything from selling the target’s Instagram account for cash, to emptying their bank and cryptocurrency accounts.
In his complaint, Torrance, California resident Seth Shapiro says he was targeted multiple times by the same attackers, losing $1.8 million in both cryptocurrency and traditional cash.
“AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead standing by as its employees used their position at the company to gain unauthorized access to Mr. Shapiro’s account in order to rob, extort, and threaten him in exchange for money,” the lawsuit alleges.
A different subscriber sued AT&T last year for $220 million, claiming the carrier failed to adequately secure his account. T-Mobile was also sued last year after a customer lost thousands of dollars after his number was ported from T-Mobile to an AT&T account under the hackers control.
Shapiro told a local California Fox affiliate that he was SIM hijacked four times in total, the two biggest attacks coming in the same day. After the first attack, Shapiro said he went to a local AT&T store to demand help and get a new phone, only to be hijacked again.
“I said I want your assurance that you’re not gonna allow the number to be swapped out because this is literally financial life or death for my family, and they said yeah absolutely, we’re monitoring it,” Shapiro said. “So we turned the number on, I’m standing in the AT&T store, and within two minutes, it went dead again, and that’s when they stole our life savings.”
The complaint states investigators were not only able to identify the hackers, but the two Arizona AT&T employees who helped facilitate the scam. One employee took $4,300 to aid in the hijack, while another was paid just $585.25. Investigators also obtained chat logs featuring the hackers discussing how they were going to spend their newfound fortune.
Carriers, for their part, haven’t much wanted to talk about why they’ve continually failed to stop employees from scamming the company’s customers. Even more apathetic has been the FCC, which has yet to so much as even meaningfully comment on the rise of such attacks. That said, both the FTC and the FBI have ramped up warnings about SIM hijacking over the last year.
Shapiro’s lawsuit against AT&T may never actually see the inside of a courtroom.
Carriers have been able to skirt legal accountability for SIM hijacking and location data scandals thanks to fine print in their customer contracts. Such language bans subscribers from suing carriers, instead forcing them into binding arbitration, a lopsided process that favors corporations the lion’s share of the time.
According to the complaint, one of the hackers who targeted Shapiro was Joel Ortiz, a Boston resident convicted earlier this year in the SIM hijacking attacks on 40 people, resulting in the theft of more than $5 million. Ortiz is currently serving a 10 year prison sentence in San Quentin.
If you’re looking to avoid being a victim yourself, make sure to read Motherboard’s guide to protecting yourself from SIM hijacking.