Straight Talk Sim Swap/Port Out Incident Resulted in $250K Theft from Victim’s Coinbase Account

April 27, 2022  |   By: Max Dilendorf, Esq.

SAMPLE COMPLAINT AGAINST TRACFONE WIRELESS, INC., also d/b/a STRAIGHT TALK

AMERICAN ARBITRATION ASSOCIATION COMPLAINT SAMPLE

Claimant by and through his attorney brings this against Respondent TracFone Wireless, Inc., also d/b/a STRAIGHT TALK (“TracFone”, “Respondent”) pursuant to the Federal Communications Act, a common law theory of gross negligence, a common law theory of negligent hiring, retention, and supervision; and the Computer Fraud and Abuse Act.

INTRODUCTION

  1. This action arises out of TracFone Wireless, Inc.’s (hereinafter “TracFone”) systemic and repeated failures to protect and safeguard its customers’ highly sensitive personal and financial information against common, widely reported, and foreseeable attempts to illegally obtain such information.
  2. As a result of TracFone’s misconduct as alleged herein, including their gross negligence in failing to protect customer information, its negligent hiring and supervision of customer support personnel, and its violations of federal and state laws designed to protect wireless service consumers, Claimant lost digital assets, with a current estimated value in excess of approximately of $242,000.00 due to an unauthorized port out (also known as a “port out fraud”, “port out scam”).
  3. An unauthorized port out occurs when a number is ported out to a new carrier without proper authorization from the owner. The Federal Communications Commission (“FCC”) has set rules, guidelines, and policies aimed at preventing an unauthorized port out and it is TracFone’s responsibility to ensure authorized port out. FCC requires carriers to port a number when they receive a valid request, which means that TracFone has to make every possible effort to protect client against unauthorized port out. TracFone states that the company has made enhancements to improve the mobile account’s security, in particular when a request to transfer a number is made[1]. However, as described below unauthorized port out has occurred because of Respondent’s intentional actions and negligent practices, as well as their repeated failure to adhere to federal and state laws.

PARTIES

  1. Claimant is a resident of California.
  2. Respondent is a TracFone Wireless, Inc., also doing business as Straight Talk, is a Delaware corporation with its principal place of business at 9700 N.W. 112th Avenue, Miami, Florida 33178.

FACTUAL BACKGROUND RELEVANT TO ALL CAUSES OF ACTION

  1. TracFone is America’s largest prepaid, no-contract wireless service provider. For over 20 year TracFone advertises and sells mobile phones, mobile phone SIM cards, and prepaid mobile phone service plans under a number of brands, including Straight Talk. Straight Talk is a registered trademark of TracFone.
  2. TracFone products are available at more than 90,000 retailers nationwide. See https://www.tracfonewirelessinc.com/en/about-us.
  3. The Respondent spent over $100 million on advertising in digital, print, and national TV in the last year. See https://advertisers.mediaradar.com/tracfone-wireless-advertising-profile#MediaSpend.
  4. It is widely recognized and has been widely publicized that mishandling of customer wireless accounts, including, but not limited to, allowing unauthorized access, can facilitate identity theft and related consumer harm.
  5. Many major media outlets have written about telecommunication carrier’s port out fraud, including TracFone. These publications include, but are not limited to: The Verge[2], The Wall Street Journal[3], KrebsonSecurity[4], Phone arena[5], Head Topics[6], as well as various local media affiliates of major news outlets[7]. Further, Vice wrote an article in 2020 regarding Verizon Wireless’s attempts increase protection for users against SIM swapping hacks (which are also called port out scams), urging other mobile phone carriers to do the same[8]. In 2020 researchers at Princeton University evaluated the SIM authentication procedures at five prepaid U.S. wireless carriers, including TracFone, and found that they all used insecure authentication challenges that could easily be subverted by attackers: “Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers”[9].
  6. Verizon acquired TracFone in November of 2021. According to the TracFone’s notice posted on its website on January 20, 2022: “We were recently made aware of bad actors gaining access to a limited number of customer accounts and, in some cases, fraudulently transferring, or porting out, mobile telephone numbers to other carriers”[10]. According to a Verizon spokeswoman, the attack appears to affect approximately 6,000 TracFone customers, which is part of Verizon’s approximately 24 million prepaid lines. Other customers of various TracFone brands said unknown attackers appeared to use their commandeered phone numbers to target cryptocurrency accounts[11].
  7. As one of the wireless carriers, TracFone’s operations must comply with various federal and state statutes, including (but not limited to) the Federal Communications Act (“FCA”) 47 U.S.C. §222.
  8. The FCA obligates TracFone to protect the “confidentiality of proprietary information of [its] customers” and “customer proprietary network information” (commonly referred to as “CPI” and “CPNI”, respectively). See 47 U.S.C. §222(a), (c).
  9. FCC has promulgated rules to implement Section 222 of the FCA “to ensure that telecommunications carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI.” In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007); see also 47 C.F.R. §64.2001 et seq. (“CPNI Rules”).
  10. The CPNI Rules limit disclosure and use of CPNI without customer approval to certain limited circumstances (such as cooperation with law enforcement), none of which are applicable to the facts here. See 47 C.F.R. §64.2005.
  11. The CPNI Rules also require carriers to implement safeguards to protect customers’ CPNI. See 47 C.F.R. §64.2009(b), (d), and (e).
  12. These safeguards include: (a) training personnel “as to when they are and are not authorized to use CPNI”; (b) establishing “a supervisory review process regarding carrier compliance with the rules”; and (c) filing annual compliance certificates with the FCC. Id.
  13. The CPNI Rules further require carriers to implement measures to prevent the disclosure of CPNI to unauthorized individuals. For example, “carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” 47 C.F.R. §64.2010(a).
  14. TracFone regularly holds itself out to the general public as a secure and reliable custodian of customer data, including customer’s confidential financial and personal information. According to TracFone’s Privacy Policy of May 24, 2022, TracFone is committed to client’s privacy. TracFone collects personal information to offer services, complete transactions, and maintain the highest level of customer service for all of its customers and website visitors. TracFone uses client’s personal information including, but not limited to, for fraud prevention purposes. TracFone secures personal information and uses administrative, organizational, technical, and physical safeguards to protect the personal information it collects and processes. TracFone’s security controls are designed to maintain data confidentiality, maintain data integrity. See https://www.tracfonewirelessinc.com/en/California_Privacy+Policy/.
  15. Upon information and belief, TracFone’s sales and marketing materials make similar representations regarding TracFone’s alleged implementation of various safeguards to protect its customers’ private information (as required by statutes).
  16. TracFone’s deceptive statements are designed to cover up for the fact that it is aware their security procedures can and do fall short of their expressed and implied representations and promises, as well as their statutory duties.
  17. Such failures, which lead to unauthorized access of customers’ information, were entirely foreseeable by TracFone, especially given the wide media coverage of such hackings prior to the event in dispute here.

A. PORT OUT FRAUD

  1. As TracFone is aware, various forms of account takeover fraud have been widely reported in the press, by government regulators (including the Federal Trade Commission (“FTC”) and the FCC[12]), academic publications, and multiple lawsuits across the country.
  2. These illegal schemes involve criminals and fraudsters gaining access to or “hijacking” customer wireless accounts, which often include sensitive personal and financial information, to induce third parties to conduct transactions with individuals they believe to be legitimate or known to them.
  3. Sometimes these schemes are perpetrated by employees of the wireless carriers, such as TracFone.
  4. One of the most damaging and pervasive forms of account takeover fraud is known as an “unauthorized port out” or “port out scam”, whereby a mobile phone number is illegally ported from one provider to the another when you switch your phone service. In other words, an unauthorized port out occurs when a number has ported out to a new carrier without proper authorization from the business owner.
  5. The FCC noted that since text messages are often used as a form of authentication, scammers have been focused on hijacking mobile phone numbers. Once they are able to gain access to the account and port out the number to a new carrier, they can use it for text message authentication on other accounts, in particular scammers can gain access to your financial and social media accounts. Therefore, scammers after porting out phone get a complete access to record of a user’s cell phone history, inclusive of text messages, calls, and any applications which a user has downloaded.
  6. An unauthorized port out gives scammers possibility to control the text-based two-factor authentication checks specifically designed to add a layer of protection to sensitive accounts such as bank accounts, social media accounts, and email accounts.
  7. The wireless carrier, however, must effectuate the port out. In particular, the carrier has to confirm the consumer’s identity and make a porting request. When consumers go to the new carrier to port a number, they should bring along a recent bill, which will have their correct name and address as it appears in the carrier’s database[13]. Therefore, “port out scam” is not an isolated criminal act, as it requires the wireless carrier’s active involvement.
  8. Indeed, unlike a direct hack of data, whereby a company like TracFone plays a more passive role, port out is ultimately effectuated by the wireless carrier itself. For instance, in this case, it is TracFone that approved and allowed the port out (without Claimant’s authorization), as well as all of the subsequent telecommunication activity that was used to access Claimant’s online accounts and cause the injuries suffered by Claimant.
  9. As such, by directly or indirectly exceeding authorized access to customer accounts, wireless carriers such as TracFone may be liable under state and federal statutes, such as the Federal Communications Act (“FCA”).
  10. Once a third-party has access to the legitimate user’s personal data, it can then seamlessly impersonate that legitimate user (e.g., in communicating with others or contacting various vendors).
  11. A common target of port out fraud are individuals known, or expected, to hold cryptocurrency, because account information is often contained on users’ cellular phones, allowing criminals to transfer the legitimate user’s cryptocurrency to an account controlled by the third-party.
  12. The prevalence of port out fraud and TracFone’s knowledge of such fraud, including, but not limited to that performed with the active participation of its own employees, demonstrates that what happened with Claimant’s account was neither an isolated incident nor an unforeseeable event.
  13. As a regulated wireless carrier, TracFone has a well-established duty to protect the security and privacy of CPI and CPNI from unauthorized access and TracFone is obligated to certify its compliance with this mandate to the FCC every year.
  14. The FCA expressly restricts carriers like TracFone from unauthorized disclosure of CPNI.
  15. In light of the above, at the time of the events at issue in the present case, TracFone was keenly aware of its obligations, as well as multiple weaknesses in its internal processes and procedures to authenticate legitimate customers.
  16. The failure of TracFone to have proper safeguards and security measures as recommended by the FCC resulted in damages to Claimant in an amount to be determined at trial.

B. LACK OF SECURITY PROTOCOLS

  1. TracFone has been on notice for years that their security measures were not adequate. Despite this, sufficient security measures were not in place to prevent this port out and the corresponding theft.
  2. It’s a scam that happens when fraudsters use the weakness of two-factor authentication and verification which involves the second step of the process: receiving a text message or phone call to your cellphone number.
  3. Despite this knowledge of inherent security flaws, TracFone and its officers and directors acted with a conscious and reckless disregard for the security of their customers, failing to ratify and implement policies that would protect its customers’ accounts.
  4. A valid driver’s license and a valid pin/security code should have been required in order to port a number to a new carrier.
  5. Security measures should have been in place which required the original SIM to be present in order for that information to be placed onto a new device.
  6. The fact that Claimant’s number was ported out without the original SIM device being present and without a proper identification – a valid ID corroborating Claimant’s identity points to either completely substandard security procedures or this being an inside job by a TracFone
  7. TracFone’s Representatives were either complicit with the theft or grossly negligent.
  8. TracFone’s officers and directors exhibited a conscious and reckless disregard for the security of its customers by failing to implement sufficient security protocols that led to illegal disclosure of Claimant’s personal information.
  9. Claimant has filed a police report with The Police Department.

C. FACTS RELATING TO THE EVENT IN DISPUTE

  1. Claimant is a TracFone’s d/b/a Straight Talk customer.
  2. On October 2021 Claimant realized that there was no service.[14]
  3. Claimant made his best efforts to settle the matter. In particular, Claimant contacted Respondent in order to submit all required information regarding port out and filed a formal complaint, however as for now the matter has not been resolved.
  4. During the breach, the hackers were able to disable Coinbase’s notification system, thus enabling them to make undetected transfers from Claimant’s Account.

FIRST CAUSE OF ACTION: VIOLATION OF THE FEDERAL COMMUNICATION ACT

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. The FCA regulates interstate telecommunications carriers, including TracFone.
  3. TracFone is a “common carrier” or a “telecommunications carrier” engaged in interstate commerce by wire for the purpose of furnishing communication services within the meaning of Section 201(a) of the FCA. See 47 U.S.C. §201(a).
  4. As a “common carrier”, TracFone is subject to the substantive requirements of Sections 201 through 222 of the FCA. See 47 U.S.C. §§201-222.
  5. Under Section 201(b) of the FCA, common carriers may implement only those practices, classifications, and regulations that are “just and reasonable.” Practices that are “unjust or unreasonable” are unlawful.
  6. Section 206 of the FCA, entitled “Carriers’ liability for damages” provides:

In case any common carrier shall do, or cause or permit to be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, or shall omit to do any act, matter, or thing in this chapter required to be done, such common carrier shall be liable to the person or persons injured thereby for the full amount of damages sustained in consequence of any such violation of the provisions of this chapter, together with a reasonable counsel or attorney’s fee, to be fixed by the court in every case of recovery, which attorney’s fee shall be taxed and collected as part of the costs in the case.

  1. Section 207 of the FCA, entitled “Recovery of damages” further provides:

Any person claiming to be damaged by any common carrier subject to the provisions of this chapter may either make complaint to the [FCC] as hereinafter provided for, or may bring suit for the recovery of the damages for which such common carrier may be liable under the provisions of this chapter, in any district court of the United States of competent jurisdiction; but such person shall not have the right to pursue both remedies.

  1. Additionally, Section 222(c) of the FCA explicitly requires that telecommunications carriers protect its customers’ CPNI. See 47 U.S.C. §222(c).
  2. According to the CPNI Rules:

Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated contact, online account access, or an in-store visit.

In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier’s retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer’s account information. In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 07-22 FCC Rcd. (Mar. 13, 2007).

TracFone violated its duties under Section 222 of the FCA by failing to protect Claimant’s CPI and CPNI by using, disclosing, or permitting access to Claimant’s CPI and CPNI without the consent, notice, and/or legal authorization of Claimant as required by the FCA, in that upon information and belief:

  • during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone other than Claimant by an agent of Respondent;
  • during an in-store visit, or over the phone, Claimant’s CPI and CPNI were disclosed to someone who was not properly authenticated by Respondent during an in-store visit,  or over the phone. Claimant’s CPI and CPNI were disclosed to someone who did not first present a valid photo ID to Respondent.
  1. As alleged herein, TracFone failed to protected the confidentiality of Claimant’s CPI and CPNI when it disclosed Claimant’s CPI and CPNI to third-parties without Claimant’s authorization or permission.
  2. TracFone conduct, as alleged herein, constitute knowing violations of the FCA, including sections 201(b) and 222, as well as the CPNI Rules.
  3. TracFone is also liable for the acts, omissions, and/or failures, as alleged herein, of its officers, employees, agents, or any other persons acting for or on behalf of TracFone.
  4. TracFone’s violation of the FCA allowed unauthorized parties to impersonate Claimant in transactions with others.
  5. TracFone violated the FCA, including Section 222, by allowing an unauthorized party to access Claimant’s CPI and CPNI, resulting in, inter alia, Claimant’s loss of his possessions approximately $242,000.00 worth of digital assets..
  6. As a direct consequence of TracFone’s violations of the FCA, Claimant has been damaged through the loss of his property approximately $242,000.00 worth of digital assets.
  7. Had TracFone not allowed the unauthorized access to Claimant’s account, Claimant would not have suffered this loss.
  8. TracFone, by its inadequate procedures, practices, and regulation, engages in practices which, when taken together:
  • fail to provide reasonable, appropriate, and sufficient security to prevent unauthorized access to its customers’ wireless accounts;
  • allow unauthorized persons to be authenticated; and
  • grant access to sensitive customer account information.
  1. In particular, TracFone failed to establish and implement reasonable policies, procedures and safeguards governing the creation, access, and authentication of user credentials to access customers’ accounts, creating an unreasonable risk of unauthorized access.
  2. As such, in violation of the FCA, TracFone has failed to ensure that only authorized persons have access to customer account data and that customers’ CPI and CPNI are secure.
  3. Among other things, TracFone:
  • failed to establish and enforce rules and procedures sufficient to ensure only authorized persons have access to TracFone customer accounts, including that of Claimant;
  • failed to establish appropriate rules, policies and procedures for the supervision and control of its officers, agents and employees;
  • failed to establish and enforce rules and procedures, or provide adequate supervision and/or training sufficient to ensure that its employees and agents follow such rules and procedures to restrict access by unauthorized persons;
  • failed to establish and enforce rules and procedures to ensure TracFone’s employees and agents adhere to the security instructions of customers with regard to accessing customers’ accounts, including that of Claimant;
  • failed to adequately safeguard and protect its customers’ wireless accounts;
  • permitted the sharing of and access to user credentials among TracFone’s agents or employees without a pending request from the customer, reducing the likely detection of and accountability for unauthorized access;
  • failed to appropriately supervise employees and agents, who granted unauthorized access to customers’ accounts, including that of Claimant;
  • failed to adequately train and supervise its employees, officers, and agents to prevent the unauthorized access to customer accounts;
  • failed to prevent the ability of employees, officers, and agents to access and make changes to customer accounts without specific customer authorization;
  • allowed “porting out” of cell phone numbers without properly confirming that the request was coming from legitimate customers;
  • lacked proper monitoring and, therefore, failed to monitor its systems for the presence of unauthorized access in a manner that would allow TracFone to detect intrusions, breaches of security, and unauthorized access to customer information;
  • failed to implement and maintain readily available best practices to safeguard customer information (and indeed, seemed to suggest such practices were only available to those customers who “paid for” the privilege of having their information secured);
  • failed to diagnose and determine timely the cause of Claimant’s service interruption;
  • failed to notify Claimant timely of the cause of Claimant’s service interruption; and
  • failed to implement and maintain internal controls to help protect against account takeovers and port out scams by unauthorized persons.
  1. The inadequate security measures, policies and safeguards employed by TracFone created a foreseeable and unreasonable risk of unauthorized access to the accounts of its customers, including that of Claimant.
  2. Upon information and belief, TracFone has been long aware of its inadequate security measures, policies, and safeguards, and nevertheless, induced customers into believing that its systems were secure and compliant with applicable law.
  3. TracFone, despite knowing the risks associated with unauthorized access to customer accounts, failed to utilize reasonable and available methods to prevent or limit such unauthorized access.
  4. TracFone failed in its duty to protect and safeguard customer information and data pursuant to federal law.
  5. Had TracFone implemented appropriate and reasonable security measures, Claimant would not have been damaged.
  6. In sum, Respondent’s security measures were entirely inadequate to prevent the foreseeable damage caused to Claimant.

SECOND CAUSE OF ACTION: NEGLIGENCE

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. TracFone owes a duty of care to its customers to ensure the privacy and confidentiality of CPI and CPNI during its provision of wireless carrier services, as required by both federal and state law.
  3. By allowing unauthorized access to the personal and confidential information of legitimate TracFone’s customers, TracFone breached its duty of care to its customers and to foreseeable victims, including Claimant.
  4. By failing to diagnose timely and properly the cause of Claimant’s service interruption, TracFone breached its duty of care to its customers and to foreseeable victims, including Claimant.
  5. But for the inadequate security protocols, practices, and procedures employed by TracFone in protecting customer data, including Claimant’s private and confidential information, Claimant would not have suffered any damage.
  6. But for the inadequate protocols, practices, and procedures employed by TracFone in diagnosing the causes of customers’ service interruptions, Claimant would not have suffered any damages.
  7. But for those intentional actions and/or inaction of Respondent and its agents, Claimant would not have suffered damages.
  8. But for TracFone’s inability to diagnose quickly and effectively and/or determine that Claimant’s account was compromised by a port out scam – a fact that TracFone should have known – Claimant would not have suffered damages.
  9. Claimant has been damaged through the loss of his property (digital assets) with a current estimated value is approximately $242,000.00.

THIRD CAUSE OF ACTION: GROSS NEGLIGENCE

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. TracFone, as required by federal and state law, owed Claimant a duty to handle and safeguard properly Claimant’s CPI and CPNI and access to his account.
  3. TracFone was required to ensure its compliance with federal law and to protect the confidentiality of its customers’ account data, including that of Claimant.
  4. Upon information and belief, TracFone willfully disregarded and/or showed reckless indifference to its duties under federal and state law to TracFone’s customers and to foreseeable victims of TracFone’s wrongful acts.
  5. Having superior knowledge of prior account takeover attacks on TracFone’s customers data and having the ability to employ internal systems, procedures, and safeguards to prevent such attacks, TracFone nevertheless failed:
  • to institute appropriate controls to prevent unauthorized access to customers’ accounts;
  • to utilize authentication systems it knew or should have known were vulnerable to account takeover attacks;
  • to implement systems to thwart such attacks, willfully disregarding the best practices of the industry in failing; and
  • to appropriately hire, retain, supervise, train, and control those officers, agents, and employees who could grant or obtain unauthorized access to customer account data.
  1. TracFone’s policies, procedures and safeguards were completely ineffective and inadequate to prevent the unauthorized access to its customers’ data, notwithstanding the requirements of the CFA, thus meeting the definition of gross negligence and warranting punitive damages for violating federal and state law.

FOURTH CAUSE OF ACTION: NEGLIGENT HIRING, RETENTION AND SUPERVISION

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. At all material times herein, TracFone’s agents, officers, and employees, including, but not limited to, those directly or indirectly responsible for or involved in allowing unauthorized access to Claimant’s confidential and proprietary account information, were under TracFone’s direct supervision and control.
  3. Upon information and belief, TracFone negligently hired, retained, controlled, trained, and supervised the officers, agents, and employees under its control, or knew or should have known that such officers, agents, and employees could allow unauthorized access to customer accounts, including that of Claimant.
  4. Upon information and belief, TracFone failed negligently to implement systems and procedures necessary to prevent its officers, agents, and employees from allowing or obtaining unauthorized access to customer accounts, including that of Claimant.
  5. Upon information and belief, TracFone’s negligent hiring, retention, control, training, and supervision allowed the unauthorized access to customers’ accounts resulting in damage to TracFone’s customers and foreseeable victims in the public at large, including Claimant.
  6. Given widespread experience with account unauthorized port out (including some perpetrated and/or assisted by telecommunication carriers own employees, officers, or agents), TracFone’s failure to exercise reasonable care in screening, supervising, and controlling its officers, agents, and employees was a breach of its duty to its customers, including Claimant.
  7. TracFone’s duty to its customers and foreseeable victims to protect its customers’ data from unauthorized access is required by federal and state law.
  8. It was entirely foreseeable to TracFone that unauthorized persons would attempt to gain unauthorized access to TracFone customers’ data and, despite this, TracFone failed to implement sufficient safeguards and procedures to prevent its officers, agents, and employees from granting or obtaining such unauthorized access.
  9. Upon information and belief, TracFone engaged in the acts alleged herein and/or condoned, permitted, authorized, and/or ratified the conduct of its officers, agents, and employees.
  10. As a direct consequence of TracFone’s negligent hiring, retention, control and supervision of its officers, agents, and employees, who enabled or obtained the unauthorized access to Claimant’s account, Claimant was damaged through the loss of his digital assets with a current estimated value in excess of approximately $242,000.00.

FIFTH CAUSE OF ACTION: VIOLATIONS OF THE COMPUTER FRAUD AND ABUSE ACT

  1. Claimant incorporates by reference all facts and allegations of this Complaint, as if the same were fully set forth herein.
  2. The CFAA governs those who intentionally access computers without authorization or who intentionally exceed authorized access, and as a result of such conduct cause damage and loss.
  3. As alleged herein, a port out scam requires the intentional access to customer computer data by TracFone which exceeds its authority, and which causes damage and loss. As such, TracFone is subject to the provisions of the CFAA.
  4. TracFone’s conduct, as alleged herein, constitutes a knowing violation of the CFAA.
  5. TracFone is also liable for the acts, omissions, and/or failures, as alleged herein, of any of its officers, employees, agents, or any other person acting for on behalf of TracFone.
  6. TracFone violated its duty under the CFAA by exceeding its authority to access the computer data and breach the confidentiality of the proprietary information of Claimant using, disclosing, or permitting access to Claimant’s CPNI without the consent, notice, and/or legal authorization of Claimant as required by the CFAA.
  7. Section 1030(g) of the CFAA provides, in pertinent part:

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage….

  1. Claimant alleges he has suffered damages which exceed the threshold of $5,000.00 as required by Section 1030(c)(4)(A)(i)(I) of the CFAA.
  2. Claimant alleges TracFone’s unlawful conduct has caused damage which exceeds approximately $242,000.00.
  3. Claimant has brought this claim within two (2) years of the date of discovery of the damage pursuant to Section 1030(g) of the CFAA.
  4. Claimant discovered damage on or about October 2021.
  5. Upon information and belief, TracFone’s conduct as alleged herein constitutes a violation of Section (a)(5)(A) of the CFAA.
  6. Upon information and belief, TracFone’s conduct as alleged herein may constitute a reckless violation of Section (a)(5)(B) of the CFAA.
  7. Upon information and belief, TracFone’s conduct as alleged herein may constitute an intentional violation of Section (a)(5)(C) of the CFAA.
  8. As a direct consequence of TracFone’s violations of the CFAA, Claimant has been damaged in an amount to be proven at trial but, upon information and belief, exceeds $242,000.00 plus fees and costs, including reasonable attorneys’ fees.

PRAYER FOR RELIEF

WHEREFORE Claimant demands a judgment against TracFone as follows:

  1. Enter judgment for Claimant on all counts;
  2. Award compensatory damages to Claimant arising from TracFone’s negligence;
  3. Award statutory damages to Claimant for TracFone’s FCA violations;
  4. Award punitive damages to Claimant for TracFone’s gross negligence and the conscious and reckless disregard of its customer’s data;
  5. Award statutory damages to Claimant for TracFone’s CFAA violations;
  6. Award Claimant costs and reasonable attorneys’ fees;
  7. Award Claimant prejudgment interest; and
  8. Award Claimant such other and further relief as this Court deems just, fair, and proper.

References

[1] https://www.tracfonewirelessinc.com/en/CustomerSecurityMessage

[2] See https://www.theverge.com/2022/1/26/22902853/tracfone-users-phone-numbers-ported-without-consent-verizon-straight-talk

[3] See https://www.wsj.com/articles/tracfone-customers-complain-of-unwanted-phone-number-swaps-11643205624

[4] See https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/

[5] See https://www.phonearena.com/news/some-tracfone-numbers-ported-without-permission_id138095?utm_source=headtopics&utm_medium=news&utm_campaign=2022-01-27

[6] See https://headtopics.com/us/some-tracfone-customers-had-their-phone-numbers-ported-without-permission-23698920

[7] See https://www.fox2detroit.com/news/tech-security-expert-warns-about-sim-card-scam-on-t-mobile-customers;

https://www.tomsguide.com/news/tracfone-mass-port-out-number-theft

[8] See https://www.vice.com/en/article/3azv4y/verizon-sim-swapping-hack-protection-number-lock

[9] See https://www.fiercewireless.com/wireless/researchers-identify-5-prepaid-carriers-as-vulnerable-to-sim-swap-fraud

[10] https://www.tracfonewirelessinc.com/en/CustomerSecurityMessage

[11] See https://www.wsj.com/articles/tracfone-customers-complain-of-unwanted-phone-number-swaps-11643205624

[12] https://www.fcc.gov/port-out-fraud-targets-your-private-accounts

[13] https://www.fcc.gov/general/wireless-local-number-portability-wlnp#howlong

[14] Please see attached documents for more information on the hacking of Claimant’s account.

This article is provided for your convenience and does not constitute legal advice. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

Other Resources

ALL ARTICLES

Our Founding Partner

/

Max (Maksim) Dilendorf, Esq.

Max (Maksim) Dilendorf’s legal practice is laser-focused on digital assets and cyber-crime cases, a domain he has passionately pursued since 2017. Over the past 7 years, Max built a distinct digital asset law practice, dedicating tens of thousands of hours to managing diverse client cases, research and engaging ...

Learn More about Max (Maksim) Dilendorf, Esq.
Max (Maksim) Dilendorf, Esq.

Adam Pollock

Adam is one of the nation’s leading young whistleblower lawyers.  He brings with him a special ability not just to litigate, but to investigate – and understand – complex organizations and transactions.  His extensive familiarity with tech issues is built on a computer science degree and work as a ...

Learn More about Adam Pollock
Adam Pollock

Bari Zahn, Esq.

Bari Zahn has nearly 20 years of experience practicing at global law firms in New York. Bari has represented a broad array of multinational clients on U.S. and cross-border transactions. She has supervised legal teams worldwide and has extensive management experience as the Founder, former CEO and General ...

Learn More about Bari Zahn, Esq.
Bari Zahn, Esq.

Steve Cohen

Steve contributes extensive business and problem-solving experience to challenges that may require litigation – or may help avoid it.  Indeed, his perspective on litigation is influenced by his experience as a three-time internet start-up CEO.

Steve served on Ronald Reagan’s 1980 presidential campaign ...

Learn More about Steve Cohen
Steve Cohen

Robin Gerofsky Kaptzan, Esq.

A New York licensed attorney with three decades of legal and business experience in the U.S. and Asia, Robin recently joined the law firm as a partner and leads the Asia-Pacific practice.

While acting as an international business lawyer and global corporate general counsel, Robin is sought out by clients ...

Learn More about Robin Gerofsky Kaptzan, Esq.
Robin Gerofsky Kaptzan, Esq.

Craig S. Redler

Craig S. Redler has held positions with Amicorp in its offices in Auckland New Zealand and Miami Florida, and Southpac Trust International, Inc. with offices in the Cook Islands and Tauranga New Zealand. His responsibilities included serving as Trustee for off-shore trusts settled by high net-worth clients ...

Learn More about Craig S. Redler
Craig S. Redler