Court says AT&T SIM hack plaintiff's $24M crypto loss not result of security lapse, must amend suit
July 26, 2019, 1:03PM EDT · 5 min read
- A cell phone user is suing provider AT&T for failing to secure his SIM card from hackers, allegedly resulting in a loss of crypto funds
- The plaintiff said hackers stole $24 million worth of crypto over two days by changing his password remotely after repeatedly failing to change it in stores
- The Court found that the plaintiff failed to prove how the flaws in AT&Ts security caused the theft and now has a period to amend his suit
Disclaimer: These summaries are provided for educational purposes only by Nelson Rosario and Stephen Palley. They are not legal advice. These are our opinions only, aren’t authorized by any past, present or future client or employer. Also we might change our minds. We contain multitudes.
As always, Rosario summaries are “NMR” and Palley summaries are “SDP".
[related id=1] Terpin v. AT&T Mobility, LLC, 2019 U.S. Dist. LEXIS 121905 (D. C.D.Cal., 2:18-cv-06975-ODW, 7/19/2019) [SDP]
This case involves SIM swapping, cryptocurrency theft and black letter law. Plaintiff had cell phone service via AT&T and a significant amount of cryptocurrency. According to the opinion, “[a]fter hackers attempted and failed eleven times to change Mr. Terpin’s AT&T password in AT&T stores, the hackers were able to change his password remotely.” This allowed them to access accounts for which he used his telephone for authentication, and also allowed the hackers to convince Plaintiff’s client to send them cryptocurrency. By the time AT&T was able to get control of the number back to Plaintiff, he says he had lost “substantial funds.”
Two days after this initial loss, Plaintiff met with AT&T representatives and they “allegedly promised” to put a higher level of security on his phone, including a six-digit passcode, that would prevent anyone other than him or his wife from transferring the phone number to another phone. Alas, this didn’t work, and in January 2018, an AT&T store employee in Connecticut “assisted an impostor with a SIM card swap.” Long story, short: over a two-day period Plaintiff says the impostor stole $24 million worth of cryptocurrency from him.
Plaintiff sued AT&T, alleging 16 causes of action, which I am not going to list in detail here. They include a bunch of claims for state and federal statutory violations, a bucket full of tort claims, and a request for a declaratory judgment. You will see why I don’t go into detail about the causes of action in a second.
AT&T filed a motion to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure, saying that the plaintiff had failed to state a claim upon which relief could be granted. This is an early motion that you file in a case and when ruling on it the Court has to take the facts alleged at face value and assume they are true. The question is whether (if the facts are true) there’s a legally plausible claim. With one exception the Court says, no, there isn’t.
Here’s the problem. In order to prove damages you have to show something called proximate cause. Proximate cause is also sometimes referred to as legal cause (as opposed to cause-in-fact). AT&T made two arguments: “(1) the independent, intervening criminal acts of others, the hackers/imposter, destroy proximate cause; and (2) Mr. Terpin failed to adequately allege how the flaws in AT&T’s security resulted in Mr. Terpin’s funds being stolen.”
The Court agreed with AT&T, for the most part. On the one hand, the Court agrees that Plaintiff “has sufficiently alleged that the criminal acts of a third party were reasonably foreseeable by AT&T.” On the other hand, “Mr. Terpin fails to sufficiently allege proximate cause. Mr. Terpin does not connect how granting the hackers/fraudsters access to Mr. Terpin’s phone number resulted in him losing $24 million. Based on the allegations of the Complaint, Mr. Terpin asserts that AT&T assisted the hackers with a SIM card swap, thus granting the hackers access to Mr. Terpin’s phone number. This allegedly resulted in Mr. Terpin losing $24 million in cryptocurrency. However, Mr. Terpin does not explain how the hackers accessed Mr. Terpin’s cryptocurrency account(s), whether they sold Mr. Terpin’s cryptocurrency then transferred the money, or whether they transferred the cryptocurrency to a cold wallet. At this stage, the Court is left to speculate how having access to Mr. Terpin’s phone number resulted in the theft of cryptocurrency.”
Because of this basic pleading flaw, the Court dismissed every cause of action in the complaint except for a declaratory judgment claim, with leave to amend in a 20-day period. I suspect that Plaintiff will be able to overcome the pleading defect in an amended pleading, but the question about proximate cause, and whether the damages were caused by independent third-party criminal acts will certainly reappear as a defense — and not a bad one — later in the case. Also, if this was foreseeable to AT&T it’s not clear why it wasn’t foreseeable to Plaintiff, and one would expect to AT&T to raise this as a defense as well. It does seem rather astonishing that a sophisticated crypto holder would leave this much crypto on an exchange, continuing to use SMS two-factor authentication with a phone that had already been compromised. This isn’t to excuse AT&T but, well, you can see the argument they will make.
The Court did deny the motion to dismiss regarding the declaratory judgment count, which may or not be a Pyrrhic victory for Plaintiff. In short, the Court agreed that the DJ claim was sufficiently alleged and that a decision about whether the AT&T wireless agreement is unconscionable and void as against public policy is ripe for adjudication. Basically, plaintiff wants to get the agreement thrown out because it would require arbitration of the claim. Of course this all moot if plaintiff can’t get damages, but it does seem likely that we will see a ruling on the enforceability of the agreement and that Plaintiff will be able to replead his complaint so that he sufficiently alleges proximate cause.
The Block is pleased to bring you expert cryptocurrency legal analysis courtesy of Stephen Palley (@stephendpalley) and Nelson M. Rosario (@nelsonmrosario). They summarize three cryptocurrency-related cases on a weekly basis and have given The Block permission to republish their commentary and analysis in full. Part I of this week's analysis, Crypto Caselaw Minute, is above.
© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.