AT&T is back in the news again with new legal challenges related to the sensational SIM swap case where $24 million worth of crypto was stolen from an investor named Michael Terpin.
Recently, a division of the Ninth Circuit Court of Appeals overturned a recent lower court decision in favor of the phone company and thereby allowed the case to proceed to trial.
The decision also reverses Terpin’s case against a telecommunications company, and as such, highlights important issues involving the different roles of telcos in protecting customer information.
The Long Legal Fight
It all started in 2018 when Terpin became the victim of a sophisticated SIM swap attack. The scammers tricked an AT&T employee into transferring Terpin’s number to a blank card in their phone. By gaining access to his phone, they were able to reset passwords and bypass two-factor authentication, leading to a massive theft of his cryptocurrency assets. Despite taking many precautions, including consulting with security experts, Terpin found himself helpless against the attack.
Cryptocurrency investor Michael Terpin is suing a recent high school graduate for stealing his $24 million worth of private money by swapping a SIM, bypassing two-factor authentication to protect the crypto wallet. Terpin is also seeking a sum of at least $45 million…
– Wu Blockchain (@WuBlockchain) October 3, 2024
Terpin initially sued for $24 million in damages against both AT&T and the alleged hacker, Ellis Pinsky. However, on April 20, 2023, a judge ruled in favor of AT&T, saying they were entitled to summary judgment dismissing most of Terpin’s claims. This shocked both Terpin and many observers as it was thought to be AT&T’s duty to protect customer data.
Decision of the Court of Appeal
Shortly before October 2024, the Ninth Circuit Court reversed that decision based on actual violations of the State Communications Act. The court acknowledges that AT&T may not have protected CPNI, or information about network usage that customers reasonably expect to be kept private and secure. This is important because it means Terpin can bring damages claims against AT&T for interest and attorney’s fees, now in excess of $45 million.
As of today, the market cap of cryptocurrencies stood at $2.05 trillion. Chart: TradingView.com
According to Terpin, lead attorney Pierce O’Donnell said he feels optimistic about the decision. He noted that it sets a precedent for other plaintiffs to sue telecommunications firms for negligence if they fail to protect sensitive customer information. O’Donnell said it’s not just one person but thousands of customers who have been affected by AT&T’s lax security.
Implications for Consumers
The impact of this case goes beyond Terpin and AT&T, however. As cryptocurrency usage continues to balloon, so does the threat of SIM replacement in the digital asset space. Many use SMS-based two-factor authentication methods to secure accounts, but this is an easy choice for SIM replacement methods as well. Experts recognize that relying on text messages for security is bad practice.
Terpin argued that this would have allowed AT&T to plead guilty, setting a dangerous precedent for consumer protections in telecommunications. “This is not about winning for me,” he said. “This is about making sure companies take their responsibility seriously when it comes to protecting their customers’ information.”
Featured image from Certo Software, chart from TradingView