Sixteen counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and related charges were the subject of a complaint filed with the U.S. District Court in Los Angeles by cryptocurrency entrepreneur and investor Michael Terpin.
The target of the suit is AT&T, labeled "too big to care" in the 69-page legal screed, which seeks $200 million in punitive damages and $24 million in compensatory damages. The claim: Terpin was the victim of a SIM swap fraud that happened because of AT&T's negligence.
While even the most secure cryptocurrency storage methods are not failsafe, the suit shines a light on the dangers of storing uninsured assets in an online environment.
"AT&T's studied indifference to protecting its customers' privacy and financial assets is a metastasizing cancer, threatening hundreds of millions of unsuspecting AT&T customers," said Pierce O'Donnell, lead counsel for Terpin in the complaint. "Our client had no idea when he initially signed up, nor when later he was promised the highest level of security for his account, that low-level retail employees with access to AT&T records, or people posing as them, can be bribed by criminals to override every system that AT&T advertises as unassailable."
According to press release distributed by a paid wire service, Terpin's suit seeks remedy for the January 7, 2018, theft of more than 3 million cryptocurrency tokens. The suit alleges that the currency was stolen with the help of an AT&T employee. The mode of attack, SIM swapping, which is a form of identity theft on the rise--was recently used in a highly publicized Reddit attack. SIM swapping involves re-routing communications from an individual's mobile phone to a criminal's device, and then using that access to authenticate the re-assignment of accounts to the thief.
In this case, the cellphone account was allegedly transferred to an international criminal group that has been tracked by the FBI and other federal and state law enforcement agencies. $24 million in cryptocurrency was stolen as a result of the alleged compromise.
The complaint states that, "AT&T's gross negligence is compounded by the fact it promised Terpin unbreachable [sic] security on its end through a unique, purportedly unchangeable password following a smaller SIM swap theft in June, 2017."
Promising Perfection Is Dangerous
One of the first rules in cybersecurity is that no one is safe. Breaches and compromises are the third certainty in life, right behind death and taxes. The reasons for this are many, but humans are often the cause. No one's perfect, and the same goes for systems. No matter how secure we think something is, there's someone who can break in.
If AT&T guaranteed the security of the account in question as the complaint alleges, Terpin's case may well be a landmark in the making. It has long been the case that cybersecurity and identity theft protection companies cannot promise bullet-proof protection. No one else should be able to either.
Perhaps more disturbing is the reveal on the meager protections for such a large sum of money. While the lawsuit may succeed, the question as to how it was possible for thieves to make off with $24 million worth of cryptocurrency remains. There are myriad ways to protect such assets, but two-factor authentication (susceptible to SIM swapping) is not the most secure.
A Class of One?
In a perfect world, a situation like this would be impossible. AT&T would not guarantee its security, the level of awareness regarding potential crimes would be higher, and the cyber-hygiene associated with the storage of Terpin's cryptocurrency would have been better.
We don't live in a perfect world. The DIY justice here is reminiscent of serial entrepreneur Peter Thiel's legal war against Gawker. The PayPal billionaire was famously maligned by the site, which was subsequently shuttered by the Hulk Hogan sex tape law suit backed by him. Terpin's suit is a classic version of American justice where only the wealthy can make a bid for the fullest protection of the law without having to resort to a class action suit.
What's at stake is cybersecurity. The reason a private citizen has to mount an attack: There is no sheriff in the Wild West that is the online environment in the United States. While there are some protections, it is scattershot. While that remains the case, individuals will have to fend for themselves--the wealthier among us standing a better shot at doing so.