T-Mobile Removes N.Y., Ill. SIM Swap Fraud Cases to District Courts
T-Mobile on Friday removed a case from New York Supreme Court in Brooklyn, said its notice (docket 1:23-cv-05206) in U.S. District Court for Eastern New York in Brooklyn. Plaintiff Benjamin Kyle sued T-Mobile and T-Mobile store employees Silvia Hernandez and Emma Nodine, alleging a T-Mobile data breach enabled Hernandez and Nodine to unlawfully access his cell phone’s SIM card with his financial information, social security number and over $30,000 in funds from his Coinbase cryptocurrency account.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
In May 2022, Kyle’s iPhone 10 stopped working. He opted out of arbitration pursuant to his customer agreement with T-Mobile, said the complaint. He went to a T-Mobile store to have the phone serviced, and when the employees contacted the T-Mobile service line to determine the problem with Kyle’s phone, T-Mobile customer service authorized a SIM card change on the phone, alleges the complaint.
Defendants Hernandez and Nodine accessed Kyle’s SIM card without his knowledge or consent when Kyle provided his cell phone to be serviced, and they intentionally retrieved his personal information, including Coinbase account information, the complaint said. T-Mobile called Kyle two days later asking him to return to the store, where defendants accessed his SIM card again, “allegedly to replace it, thereby causing a second data breach," it said.
Between May 8 and 11, the defendants used Kyle's SIM card to steal over $32,000 from his Coinbase account, the complaint said. On May 9, Kyle logged into his Coinbase account and saw his balance “was down to $5,000 from approximately $37,000.” Coinbase customer service told him funds were withdrawn after being converted to Lightcoin. The two-factor authentication on his Coinbase account had been deactivated at about the same time the SIM card was replaced, and about $32,000 had been withdrawn from his account, it said. Kyle charges the defendants with fraud, breach of contract, unjust enrichment and conversion. He seeks a money judgment to be determined at trial and attorneys’ fees and legal costs.
On Thursday, T-Mobile removed a wireless customer’s SIM swap fraud suit from Cook County Circuit Court to federal court, said a Thursday notice of removal (docket 1:23-cv-04301) in U.S. District Court for Northern Illinois in Chicago. The district court has jurisdiction because the complaint presents federal questions that are necessarily raised, actually disputed, substantial and “capable of resolution in federal court without disrupting the federal-state balance approved by Congress,” said the notice.
Plaintiff Dan Marlow, a resident of Cook County, alleged in his April complaint that his SIM card was switched “remotely without authorization,” enabling a hacker to access over 200 passwords owned by Marlow, causing over $35,000 of cryptocurrency assets to be transferred from his account to another.
In April 2022, Marlow noticed his cellphone couldn’t connect to the T-Mobile network, said the complaint. When he contacted T-Mobile about the problem, he was told his SIM card had been switched remotely without authorization by T-Mobile representative Robbys Alvarado, the complaint said. Using Marlow’s account information, Alvarado gained access to his passwords, had security codes sent to him for Marlow’s financial accounts and caused bitcoin, valued at about $37,000, to be transferred from Marlow’s Gemini account to “some other account,” it said.
When Marlow made a claim for the cryptocurrency theft, T-Mobile told him the carrier’s terms and conditions bar liability for damages caused by a third party and “preclude recovery of any indirect, special, consequential, treble, or punitive damages,” the complaint said. The terms specifically bar damages arising from “unauthorized access or changes to your Account, Service, or Device, or the use of your Account, Service, or Device by you or by others to authenticate, access, use or make changes to third party accounts, including financial, cryptocurrency, or social media accounts,” the complaint said.
The complaint cited customer proprietary network information (CPNI) rules under Title 47 of the Code of Federal Regulations "to ensure that telecommunications carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI.” Those rules limit disclosure and use of CPNI without customer approval to certain limited circumstances and require carriers to train personnel “as to when they are, and are not authorized to use CPNI,” plus establish a "a supervisory review process regarding carrier compliance with the rules," it noted.
The customer agreement is a “classic adhesion contract” imposed by T-Mobile on a party “with no bargaining power,” said the complaint. T-Mobile has “unchecked power to insist upon its own terms even if the consumer is unaware of the terms of the Agreement itself,” it said. Customers have “no ability to negotiate” any term of the agreement: “It is literally ‘take it or leave it,’" the complaint said. The indemnification clause requires a consumer to hold T-Mobile “harmless for its own negligence, deliberate behavior, gross negligence, statutory violations (including disclosure of CPNI under the FCA), or fraud” for any conduct arising out of use of the service or T-Mobile’s breach of the agreement, it said.
Marlow claims breach of the Communications Act, negligent training and supervision, breach of contract, negligence and violations of the Illinois Consumer Fraud Act. He seeks injunctive relief; compensatory and punitive damages, plus attorneys’ fees and expenses. T-Mobile didn’t comment on either case.