Many of the nation’s largest wireless carriers (e.g., T-Mobile, AT&T, Verizon) hold themselves out as a secure and reliable custodian of customer data. Despite these assurances, a growing number of customers are finding this not to be the case as these carriers are failing to provide appropriate security to prevent unauthorized access. Such failures have led to various forms of account takeover fraud, most notably the scheme known as a subscriber identity module (“SIM”) swap or “SIM Swap.” As a result, criminals and fraudsters are able to hijack a customer’s phone and seamlessly impersonate that legitimate customer to conduct other fraudulent transactions. Nonetheless, victims of such attacks are not without recourse as carriers are obligated to protect customer information and may be liable under state and federal statutes.

SIM Swaps are the most damaging and pervasive form of account takeover fraud, whereby a criminal third-party is allowed to transfer (or hijack) access to a customer’s phone number from the customer’s registered SIM card to a card controlled by the third-party. As a background, a SIM card is a small, removable chip that allows a cellular phone to communicate with the wireless carrier and to know which subscriber is associated with that phone. The SIM card associated with a phone can be changed, allowing customers to move their wireless number from one cellular phone to another, and to continue accessing their carrier network when they switch phones. Unlike a direct hack of data, whereby a company plays a more passive role, SIM Swaps are ultimately effectuated by the carrier itself, sometimes perpetrated by employees within. A common target are individuals known to hold cryptocurrency because account information is often contained on cellular phones, allowing criminals to transfer the customer’s cryptocurrency to an account the third-party controls. See, e.g.,Kesler v. T-Mobile USA, Inc., 2:21-cv-02516 (E.D. Pa.); Cheng v. T-Mobile USA, Inc., Docket No. 1:21-cv-01085 (S.D.N.Y.); Etheridge v. AT&T, Inc. et al., Docket No. 4:21-cv-03002 (S.D. Tex.).

SIM Swaps are not a new trend, but instead have been well known threats since at least 2016. For example, in June 2016, the Federal Trade Commission’s then Chief Technologist, herself a victim, recounted her experience and offered advice to help carriers avoid these attacks. See In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunication Services, WC Docket No. 16-106 (July 6, 2016). In 2019, the New York Times reported that “[c]riminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control” in a story regarding the SIM Swap of Twitter CEO, Jack Dorsey. See Nathaniel Popper, “Hackers Hit Twitter C.E.O. in a ‘SIM-swap.’ You’re at Risk, Too,” New York Times (September 5, 2019). Moreover, a study conducted by researchers at Princeton University in early 2020 identified “weak authentication schemes and flawed policies” at several major wireless carriers in the United States. See Kevin Lee, et al., “An Empirical Study of Wireless Carrier Authentication for SIM Swaps,” Dept. of Comp. Sci. and Ctr. for Info. Tech. Policy, Princeton University (Jan. 10, 2020). Thus, regulated wireless carriers are keenly aware of the risks and internal weaknesses in their internal processes and procedures.

Regulated wireless carriers must comply with various federal and state statutes, including, but not limited to, the Federal Communications Act, 47 U.S.C. § 222 (“FCA”). The FCA obligates wireless carriers to protect “confidential proprietary information of [its] customers” and “customer proprietary network information”, commonly referred to as “CPI” and “CPNI.” To implement the FCA, the Federal Communications Commission (“FCC”) promulgated rules, 47 C.F.R. § 64.2001 et seq. and 1998 CPNI Order, to ensure that carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI. These rules limit disclosure and use of CPNI without customer approval to certain limited circumstances (e.g., cooperation with law enforcement). Importantly, the rules require carriers to implement safeguards to protect customers’ information. 47 C.F.R. § 64.2009(b), (d), and (e). These safeguards include: (a) training personnel “as to when they are and are not authorized to use CPNI”; (b) establishing “a supervisory review process regarding carrier compliance with the rules”; and (c) filing annual compliance certificates with the FCC. Id. The rules further require carriers to implement measures to prevent the disclosure of CPNI to unauthorized individuals. See 47 C.F.R. § 64.2010(a).

Based on the foregoing, wireless carriers are obligated to protect its customers. If a carrier fails to meet such obligations, the carriers are subject to liability. Thus, hijacked customers are not without options. Depending on the terms and conditions of the parties’ wireless service agreement, legal action can be initiated in the courts and/or through arbitration for violation of state and federal law and based on other common law causes of action such as negligence.