Crypto investor Michael Terpin has won an early victory in his attempt to sue telecom giant AT&T Mobility over a SIM-swapping hack that saw him lose a claimed $24 million.
In court documents published Friday, Los Angeles federal judge Otis Wright II ruled that AT&T must answer a lawsuit brought by Terpin for enabling the theft millions of dollars of cryptocurrency by giving access to his SIM card to hackers.
While the telco had requested that the court dismiss the lawsuit in its entirety, the judge decided that AT&T should answer to Terpin’s claims of violation of the Federal Communications Act, breach of contract, and other legal violations.
Terpin is seeking $23.8 million in compensatory damages and a further $200 million in punitive damages.
The case was first brought in August 2018, with Terpin claiming that AT&T’s employees have been complicit in a SIM swap fraud. In this type of scam, criminals pose as the owners of a victim’s mobile phone number, convincing telecom providers to grant them access to the SIM card.
Adding insult to injury, this was said to be the second time Terpin had suffered a SIM swap hack via AT&T, and he claims to have specifically told the firm that his account was high-risk and set up extra levels of security after the first incident.
In the court documents filed July 19, Judge Wright ruled that Terpin has “sufficiently alleged that the criminal acts of a third party were reasonably foreseeable by AT&T.”
Terpin further claimed declaratory relief on the grounds that some provisions of the agreement contract with AT&T were illegal.
The judge wrote in the document:
“He seeks to declare AT&T’s wireless customer agreement as unconscionable, void against public policy, and unenforceable in its entirety. … Specifically, he objects to the exculpatory provision that exempts AT&T from liability from its own negligence, acts or omissions of a third party, or damages or injury caused by the use of the device; the damages restriction clause that exempts AT&T from certain forms of damages; the indemnity provision requiring customers to indemnify AT&T for claims arising out of the services provided by AT&T; and the arbitration provision requiring Mr. Terpin to arbitrate his claims.”
While the company sought dismissal on the ground that the claim was not ripe for litigation, Judge Wright said Terpin had sufficiently alleged the claim and ruled out the motion to dismiss.
However, Terpin’s claim that AT&T caused him to lose $24 million in cryptocurrency came into some doubt. The judge said:
“Based on the allegations of the Complaint, Mr. Terpin asserts that AT&T assisted the hackers with a SIM card swap, thus granting the hackers access to Mr. Terpin’s phone number. This allegedly resulted in Mr. Terpin losing $24 million in cryptocurrency. However, Mr. Terpin does not explain how the hackers accessed Mr. Terpin’s cryptocurrency account(s), whether they sold Mr. Terpin’s cryptocurrency then transferred the money, or whether they transferred the cryptocurrency to a cold wallet. At this stage, the Court is left to speculate how having access to Mr. Terpin’s phone number resulted in the theft of cryptocurrency.”
That claim was dismissed with right to amend within 21 days.
“Judge Wright strongly repudiated AT&T’s audacious bid to prevent Michael from demonstrating to a jury the carrier’s contempt for consumers’ privacy and utter disregard of its legal obligations to prevent this very type of SIM swap and financial crime,” said Terpin’s lead counsel, Pierce O’Donnell, in a press release. “The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card.”
Terpin said:
“I am grateful that Judge Wright is allowing my case to proceed. We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court.”
Back in May, Terpin won another case brought against the perpetrator of the $24 million SIM hack.
Terpin had filed the case against 21-year-old Nicholas Truglia early this year, saying the Manhattan resident had defrauded him of cryptocurrencies after gaining control of his cellphone number. The California Superior Court ordered Truglia to pay Terpin $75.8 million in compensatory and punitive damages.
SIM card and dollars image via Shutterstock