- AT&T will face trial over a SIM swap that took place in 2018 and saw investor Michael Terpin lose $24 million
- The Ninth Circuit Court of Appeals partially reversed a lower court’s decision, finding that AT&T may have violated federal law by exposing sensitive customer information
- The case has been sent back to the lower court to reconsider Terpin’s claims under the Federal Communications Act
AT&T will face trial over a $24 million SIM swap attack in 2018 after the Ninth Circuit Court of Appeals, but only on the charge of exposing sensitive customer information. Crypto investor Michael Terpin took the communications giant to court in 2018 after his SIM card was compromised and $24 million in cryptocurrencies stolen. The case was thrown out but Terpin appealed, with this week’s ruling finding in the company’s favor on all but one count.
$24 Million Lost in Multiple Attacks
In 2017 and 2018, Terpin was hit by multiple SIM swap attacks, resulting in the mammoth loss of his crypto holdings. He sued the hackers and AT&T, winning the former case, but AT&T managed to get its case thrown out; Terpin alleged that AT&T failed to protect his account from SIM swap fraud, which allowed hackers to reset passwords for his online accounts and steal his cryptocurrency, but the district court initially sided with AT&T.
Terpin appealed to the Ninth Circuit, which upheld the decision over negligence but found that he had raised a valid issue under the Federal Communications Act:
Terpin has established a triable issue over whether the fraudulent SIM swap gave hackers access to information protected under the Federal Communications Act.
AT&T will now have to prove that it didn’t violate its duty to protect customer proprietary network information (CPNI) in court, affording Terpin a lifeline to getting his money returned. The ruling noted that Terpin had failed to show AT&T had an obligation to disclose that its security measures could be bypassed by employees, resulting in his claim for punitive damages being rejected as he could not demonstrate that AT&T acted with malice or intent to harm.
This ruling sends the case back to the lower court, where Terpin will have the opportunity to continue his pursuit of damages under the Federal Communications Act, a decision that could have significant implications for data privacy standards in the telecommunications industry.