AT&T is back in the news again for new legal challenges related to a sensational SIM swap case in which crypto worth $24 million was stolen from an investor by the name of Michael Terpin.
Recently, a division of the Ninth Circuit Court of Appeals overturned a recent ruling by the lower court in favor of the telecom company and thereby allowed the case to continue in trial.
This ruling also brings back on track Terpin’s lawsuit against the telecom company, and consequently, underlines important issues involving the different roles of telcos in protecting customer information.
A Lengthy Legal Fight
It all began in 2018 when Terpin fell prey to the sophisticated SIM swap attack. Scammers bribed an AT&T employee to transfer Terpin’s number to a blank card in their phone. With access to his phone, they were able to reset passwords and bypass two-factor authentication, leading to the massive theft of his cryptocurrency holdings. Despite taking extensive precautions, including consulting with security experts, Terpin found himself helpless against the attack.
Cryptocurrency investor Michael Terpin has sued a recent high school graduate for stealing $24 million worth of his cryptocurrency through a SIM swap, bypassing the two-factor authentication that protects a crypto wallet. Terpin is also seeking a total of at least $45 million…
— Wu Blockchain (@WuBlockchain) October 3, 2024
Terpin initially filed a $24 million-damage lawsuit against both AT&T and the alleged hacker, Ellis Pinsky. However, on 20th April 2023, a judge ruled in favor of AT&T, stating that they were entitled to a summary judgment that dismissed most of the claims of Terpin. This came as a shock to both Terpin and many observers as it was assumed that it was the duty of AT&T to protect the customer data.
The Appeals Court Decision
Fast forward to October 2024, the Ninth Circuit Court has reversed that ruling based on actual violations of the Federal Communications Act. The court concurs that AT&T maybe didn’t protect CPNI, or information about network use that customers reasonably expect would be kept private and safe. This is important because it means Terpin can bring damages claims against AT&T for interest and attorney fees, now more than $45 million.
According to Terpin, lead attorney pierce O’Donnell said he feels positive about the ruling. He noted that it sets a precedent for other litigants to sue telecom firms for negligence as well in case of unavailability to protect customers’ sensitive information. O’Donnell said that it doesn’t just relate to one individual but thousands of customers who have been affected due to weak security of AT&T.
Implications For Consumers
The impact of this case extends way beyond Terpin and AT&T, however. The higher that cryptocurrency usage continues to balloon, the bigger the threat of SIM swapping has become within the digital asset space. Many use SMS-based two-factor authentication methods to secure accounts, but these are easy pickings as well through means of SIM swaps. Experts note that reliance on text messages in security is bad practice.
Terpin pointed out that this would have let AT&T wriggle free of liability, setting a dangerous precedent in terms of consumer protection in telecommunications. “This isn’t about a victory for me,” he said. “It’s about ensuring companies take their responsibility seriously when it comes to protecting their customers’ data.”
Featured image from Certo Software, chart from TradingView