Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 1 of 32

UNITED STATES DISTRICT COURT FOR THE

SOUTHERN DISTRICT OF NEW YORK

CALVIN CHENG, Case No.: ________________

Plaintiff,

– against – COMPLAINT

T-MOBILE USA, INC., DEMAND FOR JURY TRIAL

Defendant.

Plaintiff CALVIN CHENG (“Plaintiff”) by and through his attorneys, WILSON & CHAN,

LLP, upon information and belief, complain and allege as follows against Defendant T-MOBILE

USA, INC. (“T-Mobile”) as follows:

NATURE OF THE CASE

1. This action arises out of T-Mobile’s systemic and repeated failures to protect and

safeguard its customers’ highly sensitive personal and financial information against common,

widely reported, and foreseeable attempts to illegally obtain such information.

2. As a result of T-Mobile’s gross negligence in protecting customer information,

including its negligent hiring and supervision of customer support personnel and its violations

of Federal laws designed to protect wireless service consumers, Plaintiff lost in excess of $450,000
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 2 of 32

in cryptocurrency due to an account takeover scheme (also known as “SIM-swapping”) which

could not have occurred but for T-Mobile’s negligent practices and its repeated failure to adhere

to federal and state law.

3. T-Mobile is one of the nation’s largest wireless carriers, having recently merged

with Sprint and is governed by numerous federal statutes, including the Federal

Communications Act (FCA).

4. T-Mobile regularly holds itself out as a secure custodian of customer data,

including customer financial and personal information.

5. T-Mobile maintains that is uses a “variety of administrative, technical, procedural,

contractual, and physical security measures” to protect customer data against “accidental,

unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use while it is under

our control.”1

6. Moreover, T-Mobile states that it maintains “authentication procedures when

[customers] contact us by phone or in retail locations to help ensure that access is provided only

to the primary account holder or authorized users of the account.”2

7. As T-Mobile is aware, SIM-swapping and other forms of account takeover fraud

have been widely reported in the press and by government regulators, including the Federal

Trade Commission (FTC) and the Federal Communications Commission (FCC), as well as by

academic research teams.

1Available at https://www.t-mobile.com/privacy-center/our-practices/privacy-policy (last accessed Jan. 27,

2021).

2 Id.

2
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 3 of 32

8. Account takeover schemes involve criminals and fraudsters gaining access to or

“hijacking” customer wireless accounts, which often include sensitive personal and financial

information, to induce third parties to conduct transactions with individuals they believe to be

legitimate or known to them.

9. One of the most damaging and pervasive forms of account takeover fraud is “SIM-

swapping” whereby a criminal third-party convinces a wireless carrier like T-Mobile to transfer

access to one of its legitimate customers’ cellular phone number from the legitimate customer’s

registered SIM-card – a small portable chip that houses identification information connecting an

account to the wireless carrier’s network3 – to a SIM-card controlled by the criminal third-party.

10. This sort of account takeover is not an isolated criminal act, per se, as it requires the

wireless carrier’s active involvement to swap the SIM to an unauthorized person’s phone.

11. As such, by directly or indirectly exceeding the authorized access to customer

accounts, wireless carriers such as T-Mobile may be liable under the Computer Fraud and Abuse

Act (CFAA).

12. Unlike a direct hack of data where a company like T-Mobile plays a more passive

role, SIM-swaps are ultimately actualized by the wireless carrier itself. It is T-Mobile, in this case,

that effectuates the SIM card change. This action remains operative and in force when the victim’s

3 A SIM (“subscriber identity module”) card is a small, removable chip that allows a cell phone to
communicate with the wireless carrier and to know which subscriber is associated with that phone. The
SIM card associated with a wireless phone can be changed, allowing customers to move their wireless
number from one cell phone to another and to continue accessing their carrier network when they switch
cell phones. The wireless carrier must effectuate the SIM card reassignment.

3
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 4 of 32

phone activity is used to hack other online accounts, extort the victim, or cause other foreseeable

injuries, such as the one suffered by Plaintiff here.4

13. Once the third-party has access to the legitimate user’s SIM-card data, it can

seamlessly impersonate the legitimate wireless customer.

14. A common target of SIM-swapping and account takeover fraud are individuals

known to, or expected to, hold large quantities of cryptocurrency as account information is often

contained on users’ cellular phones, allowing criminals to transfer the legitimate user’s

cryptocurrency to an account the criminal controls.

15. SIM-swapping is not a new unforeseeable phenomenon but, instead, has been

discussed by federal agencies since at least 2016.

16. In June 2016, the FTC’s Chief Technologist, herself the victim of an account

takeover, recounted her experience and offered advice to wireless carriers to help consumers

avoid these takeover attacks, stating:

The mobile carriers are in a better position than their customers to prevent
identity theft through mobile account hijacking and fraudulent new
accounts. In fact, many of them are obligated to comply with the Red Flags
Rule, which, among other things, requires them to have a written identity
theft prevention program.

Carriers should adopt a multi-level approach to authenticating both

existing and new customers and require their own employees as well as
third-party retailers to use it for all transactions …

[M]obile carriers and third-party retailers need to be vigilant in their

authentication practices to avoid putting their customers at risk of major

4Wireless carriers such as T-Mobile have superior knowledge of their own and their customers’ experience
with SIM-swap attacks and can foresee identity theft and impersonation of their customers following their
effectuating of the SIM change. That a criminal may act as an intervening agent does not break the sequence
of causation where T-Mobile had reasonable ground to anticipate such injuries to third-parties such as
Plaintiff.

4
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 5 of 32

financial loss and having email, social network, and other accounts
compromised.5

17. Attention in the media and by government regulators, however, did not ensure

that wireless carriers like T-Mobile took security seriously enough to prevent account takeover

accounts and SIM-swapping schemes from increasing or, worse, to convince themselves,

company-wide, to stop engaging in practices that were clearly violative of federal law.

18. An empirical study conducted by researchers at Princeton University in early 2020,

the results of which were aware to T-Mobile prior to publication, concluded that they “identified

weak authentication schemes and flawed policies” at several major wireless carriers in the United

States, including T-Mobile.6

19. The researchers also concluded that “these flaws enable straightforward SIM swap

attacks.”7

20. One particularly weak form of customer authentication used by T-Mobile – the use

of recent call logs – was identified as a “severe vulnerability,” allowing criminals to authenticate

a legitimate account by using information that can be manipulated without authentication.8

5“Your Mobile Phone Account Could be Hijacked by an Identity Thief,” L. Cranor, Tech@FTC blog (June 7, 2016);
Ms. Cranor also detailed her concerns about SIM-swapping in her reply comments before the Federal
Communications Commission in July 2016 (In the Matter of Protecting the Privacy of Customers of
Broadband and Other Telecommunication Services; WC Docket No. 16-106; July 6, 2016).

6“An Empirical Study of Wireless Carrier Authentication for SIM Swaps,” K. Lee, et al., Dept. of Comp. Sci. and
Ctr. for Info. Tech. Policy, Princeton University (Jan. 10, 2020), at p. 10; see also p. 2 (discussing T-Mobile’s
discontinuation of call log verification based on the study’s research in January 2020).

7 Id.

8 Id. at p. 6.

5
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 6 of 32

21. Indeed, when notified by the researchers of this “severe vulnerability,” T-Mobile

indicated that it would discontinue the use of call log verification in its customer authentication

process in January 2020.

22. But, this is just the latest “vulnerability” that has been called out in T-Mobile’s

customer authentication process which, when flawed, enables criminals to easily secure access to

the personal information of legitimate customers.

23. In May 2018, a popular information security blog, Krebs on Security, detailed

several failures by T-Mobile to keep its customers’ data secure, including failing to supervise its

employees (one of whom perpetuated the account takeover scheme with knowledge of T-

Mobile’s vulnerable internal systems) and failing to send legitimate customers notice to their

personal e-mail when a SIM-swap occurs.9

24. The article continued, “[T-Mobile] also acknowledged that it does not currently

send customers an email to the email address on file when SIM swaps take place. A T-Mobile

spokesperson said the company was considering changing the current policy, which sends the

customer a text message to alert them about the SIM swap [to the phone number that is now in

the criminal third-party’s control].” As the author concluded with regard to sending a text to the

hijacked phone number, “obviously that does not help someone who is the target of a SIM

swap.”10

9“T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account,” B. Krebs, Krebs on Security
(May 18, 2018).

10 Id.

6
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 7 of 32

25. As with the phone log verification vulnerability identified by Princeton

researchers later, T-Mobile had already demonstrated a knowledge of multiple weaknesses in its

internal processes and procedures to authenticate legitimate customers, admitting that such

weaknesses must be eliminated, and such practices discontinued.

26. When Twitter CEO Jack Dorsey became the victim of a SIM-swap attack in 2019,

the issue took on an even higher profile, with outlets including the NEW YORK TIMES and CNBC

running lengthy articles on the topic, often including quotes from T-Mobile spokespersons.11

27. In February 2020, the FCC issued a “Notice of Apparent Liability for Forfeiture

and Admonishment” against T-Mobile for apparently violating sections of the FCA governing

the privacy of consumer information by disclosing such information to third-parties who were

not authorized to receive it, finding, “even after highly publicized incidents put [T-Mobile] on

notice that its safeguards for protecting [customer information] were inadequate, T-Mobile

apparently continued sell access to its [customer information] for the better part of a year without

putting in place reasonable safeguards – leaving its customers’ data at unreasonable risk of

unauthorized disclosure.”12

11“Hackers Hit Twitter C.E.O. in a ‘SIM Swap.’ You’re at Risk, Too,” N. Popper, NEW YORK TIMES (Sept. 5, 2019)
(quoting a security expert who stated “SIM swapping is proliferating, and it’s going to keep proliferating
until companies deal with this. This is a known issue at this point. There is not really any excuse.”); see
also “Here’s How the Recent Twitter Attacks Happened and Why They’re Becoming More Common,” A. Palmer,
CNBC (noting that “As SIM hacks continue to rise, security advocates have called for carriers to do more
to thwart the issue.”) (available at https://www.cnbc.com/2019/09/06/hack-of-jack-dorseys-twitter-account-
highlights-sim-swapping-threat.html) (last accessed Jan. 27, 2021).

12 In the Matter of T-Mobile USA, Inc., File No. EB-TCD-18-00027702 (Feb. 28, 2020).

7
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 8 of 32

28. In proposing a penalty of $91,630,000.00 against T-Mobile, the FCC concluded its

decision by stating:

Going forward, Americans must be able to place trust in their wireless

carriers. I understand that operating businesses at the enormous scale of
these companies means relying on third parties for certain services. But
these carriers know that the services they offer create risks for users:
unauthorized location tracking, SIM hijacking, and billing scams to name
just [a] few. Carriers must take responsibility for those people they allow
into their operations.13

29. Despite the massive amounts of media, governmental, and academic focus on the

issue of SIM-swapping and the internal vulnerabilities of wireless carrier systems, T-Mobile has

been unable or unwilling to institute the practices, procedures, and safeguards necessary to

protect its customers’ data from account takeover and SIM-swap attacks.14

30. As a regulated wireless carrier, T-Mobile has a well-established duty – one which

it freely acknowledges on its corporate website15 – to protect the security and privacy of its

customers’ personal and financial information – referred to as CPNI in federal statutory

language16 – from unauthorized access, which compliance with Federal law T-Mobile is required

to certify annually to the FCC.17

13 Id. at p. 43.

14Setting aside the numerous instances of account takeover fraud, T-Mobile’s track record on preventing
data breaches of any kind is equally suspect, having announced at least four (4) separate data breaches in
the last three (3) years, affecting millions of customers. When coupled with its merger partner, Sprint, the
number of breaches is six (6) in the same time period. See https://threatpost.com/t-mobile-another-data-
breach/162703/ (last accessed Jan. 27, 2021).

15 See https://www.t-mobile.com/privacy-center/education-and-resources/cpni (last accessed Jan. 27, 2021).

16 CPNI stands for Customer Proprietary Network Information.

17 See https://www.t-mobile.com/privacy-center/education-and-resources/cpni (last accessed Jan. 27, 2021).

8
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 9 of 32

31. The FCA expressly restricts carriers like T-Mobile from unauthorized disclosure

of CPNI.

32. T-Mobile negligently failed to prevent the unauthorized disclosure of CPNI in this

case, causing Plaintiff to suffer hundreds of thousands of dollars in damage.

THE SIM-SWAP AT ISSUE

33. Brandon Buchanan (“Buchanan”) is the co-founder and partner of Iterative

Capital (“Iterative”), a hybrid investment fund focused on cryptocurrency trading and seed-stage

venture investments.

34. In May 2020, Buchanan was a wireless customer of T-Mobile.

35. In the days leading up to May 17, 2020, Buchanan’s suffered a SIM-swap attack

when third parties were able to access and, indeed, hijack Buchanan’s SIM data from T-Mobile,

granting them full access to Buchanan’s CPNI and allowing the third parties to impersonate

Buchanan in online forums and applications.

36. T-Mobile customers like Buchanan, who is heavily involved in the cryptocurrency

trade, are particularly susceptible to the attention of hackers in account takeover and SIM-swap

attacks.

37. T-Mobile allowed third parties other than Buchanan unauthorized access to

Buchanan’s SIM data in violation of Federal law.

38. Plaintiff is a customer of Iterative.

9
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 10 of 32

39. Iterative administered a cryptocurrency exchange where its customers could buy

and sell cryptocurrencies, including Bitcoin.

40. Plaintiff performed several successful transactions with Iterative to purchase

Bitcoin in the months leading up to May 2020.

41. The transactions were coordinated through a mobile application (“app”) called

Telegram, an encrypted cloud-based instant messaging software.

42. As of January 2021, Telegram had an estimated 500,000 monthly active users

worldwide, with accounts tied to cellular telephone numbers which are verified by text message

to those telephone numbers.

43. If an unauthorized third-party gains access to a Telegram account holder’s SIM

data, it can easily access that user’s Telegram account and hijack that user’s identity in messages

with other Telegram account users.

44. Plaintiff maintained a Telegram account to perform the cryptocurrency

transactions with Iterative.

45. Buchanan was a member of Telegram group chat room used by Plaintiff to conduct

transactions with Iterative.

46. Plaintiff was aware Buchanan was a member of the Telegram group chat room

used to conduct the cryptocurrency trades.

47. Plaintiff knew Buchanan to be a principal of Iterative.

48. Another member of Iterative, Wei Lin (“Wei”), was also a member of the same

Telegram group chat room used by Plaintiff and Iterative to conduct the cryptocurrency exchange

transactions.

10
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 11 of 32

49. Plaintiff knew Wei to be a representative of Iterative.

50. Plaintiff was aware Wei was a member of the Telegram group chat room used to

conduct the cryptocurrency trades.

51. After securing access to Buchanan’s data from T-Mobile, the hackers compromised

Buchanan’s Telegram account.

52. After securing access to Buchanan’s data from T-Mobile, the hackers impersonated

Buchanan by sending a Telegram message to Plaintiff, inquiring whether Plaintiff wanted to sell

any Bitcoin for an Iterative client at a premium (i.e., above market value) on or about May 17,

2020 at 7:31 p.m.

53. When Plaintiff inquired further, the hackers stated under the Telegram username

“Brandon B. [Iterative Capital]” that “I’m a partner & Co-founder at Iterative capital, I believe

you’ve done a buy with Wei before, check our Groups in common.”

54. Believing the proposed transaction to be a legitimate trade with a principal of

Iterative, Plaintiff sent fifteen (15) Bitcoin to a digital wallet he believed to be controlled by

Buchanan and/or Iterative, expecting U.S. dollars in return to an account controlled by Plaintiff.

55. Plaintiff did not receive any money in return for the fifteen (15) Bitcoin he sent via

the Telegram app to the party he thought was Buchanan.

56. The record of the May 17, 2020 transaction and communications between Plaintiff

and the third parties Plaintiff believed to be Buchanan were deleted thereafter from the Telegram

app.

11
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 12 of 32

57. On May 19, 2020, Buchanan sent an email to Iterative’s exchange clients informing

them that several of his accounts were compromised “as a result of a SIM-swap attack that

enabled a hacker to assume my identity” and to make trades on behalf of Iterative.

58. Buchanan alerted local law enforcement (New York Police Department)

authorities, as well as the Federal Bureau of Investigation (FBI).

59. The investigation into the identity of the third parties who gained access to

Buchanan’s SIM data from T-Mobile is ongoing.

60. Plaintiff, likewise, filed complaints with the same law enforcement agencies.

61. Upon information and belief, Buchanan attempted to intercede directly with T-

Mobile to obtain a refund on behalf of Plaintiff.

62. Upon information and belief, T-Mobile did not offer to compensate Buchanan or

Plaintiff in any way, despite the clear violation of federal and state law and its negligence in

securing Buchanan’s CPNI, which violations of law and duty cost Plaintiff hundreds of thousands

of dollars in losses.

63. Upon information and belief, T-Mobile, despite a legal obligation to do so, abjectly

failed in its duty to safeguard its customers’ personal and financial information by providing

unauthorized access to Buchanan’s CPNI.

64. Upon information and belief, T-Mobile failed to implement and/or maintain

security policies and procedures sufficient to protect the unauthorized access to Buchanan’s

CPNI.

65. Upon information and belief, T-Mobile failed to properly train and supervise its

employees to prevent the unauthorized access to Buchanan’s CPNI.

12
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 13 of 32

66. Upon information and belief, T-Mobile could have reasonably foreseen the

consequences of failing in its duty to implement, maintain, and execute sufficient security policies

and practices to protect the unauthorized access to customer data, including that of Buchanan.

67. Upon information and belief, T-Mobile’s systems, policies, and procedures allow

its officers, agents, and employees to exceed the authorized access to its customer accounts

without justification in violation of the CFAA.

68. T-Mobile’s actions and inaction demonstrate a reckless disregard for the rights of

its customers and those with whom its customers deal (i.e., foreseeable victims).

69. T-Mobile’s actions and inaction demonstrate a reckless disregard for its

obligations, responsibilities, and duties under the law.

70. But for T-Mobile’s reckless disregard of its obligations, Plaintiff would not have

been damaged.

71. The damage suffered by Plaintiff is fairly traceable to the wrongful conduct of T-

Mobile in allowing the unauthorized access to Buchanan’s wireless account.

JURISDICTION AND VENUE

72. This Court has jurisdiction over this matter under 28 U.S.C. §1331 as this case

arises under the Court’s federal question jurisdiction pursuant to the Federal Communications

Act (“FCA”).

13
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 14 of 32

73. This Court has jurisdiction over this matter under 18 U.S.C. §1030(g) as this case

arises under the Court’s federal question jurisdiction and monetary threshold requirements

pursuant to the Computer Fraud and Abuse Act (“CFAA”).

74. Pursuant to the Court’s supplemental jurisdiction under 28 U.S.C. §1367, it may

entertain the state law claims as they are derived from a common nucleus of operative facts.

75. Further, the Court has jurisdiction under 28 U.S.C. §1332 in that the amount in

controversy exceeds $75,000.00 and Plaintiff and Defendant are citizens of different states.

Plaintiff is a resident of the State of California, and Defendant is a Delaware corporation with a

principal place of business in the State of Washington.

76. Venue is proper in this Court under 28 U.S.C. §1391(b)(2), §1391(b)(3), §1391(c)(2),

and §1391(d) as a substantial part of the events or omissions giving rise to this complaint occurred

in this District. Buchanan is a resident of the State of New York, Iterative maintains a principal

place of business in the State of New York, and Buchanan utilized the T-Mobile wireless services

in the State of New York, including the use of a New York area code.

77. Upon information and belief, as a resident of New York, Buchanan contracted with

T-Mobile to provide wireless carrier services in the State of New York, including the data security

protections against unauthorized disclosure by T-Mobile of Buchanan’s data, as required by

federal law. As such, T-Mobile’s failure to protect Buchanan’s CPNI against unauthorized access,

causing Plaintiff damage, is central to the claims of this complaint.

78. As a customer of Iterative, a New York-based company, Plaintiff conducted trades

through the platforms maintained by Iterative and, additionally, signing a contract governing

such trades.

14
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 15 of 32

79. The investigation into the fraudulent trade is currently being led by the New York

Police Department’s Financial Crimes Task Force (Det. A. Napoli) in conjunction with the U.S.

Department of Homeland Security, Dark Web & Crypto Currency Group – TFO.

80. Upon information and belief, the necessary witnesses, including Buchanan, Wei,

and Iterative, are resident in the State of New York.

PARTIES

81. Plaintiff is a citizen of the United States and a resident of the State of California.

82. T-Mobile is a corporation formed under the laws of the State of Delaware and

serves as the American operating company of T-Mobile International AG. & Co., a corporation

based in Germany. T-Mobile maintains its headquarters and principal place of business in

Bellevue, Washington.

83. The practices and acts of T-Mobile, as alleged herein, are “charges, practices,

classifications, and regulations” by a common carrier engaged in interstate commerce as set forth

in the FCA.

FACTS AND ALLEGATIONS COMMON TO ALL CLAIMS

84. T-Mobile markets and sells wireless cellular phone service through standardized

wireless service plans via various retail locations, online sales, and over the telephone.

85. T-Mobile maintains accounts for its wireless customers, enabling them to access

information about the services they purchase from T-Mobile.

15
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 16 of 32

86. It is widely recognized and has been widely publicized that mishandling of

customer wireless accounts, including but not limited to allowing unauthorized access, can

facilitate identity theft and related consumer harm.

87. Instances of mishandling of customer account information have occurred on

numerous occasions at T-Mobile.

88. T-Mobile’s Privacy Policy states, in pertinent part: “We use a variety of

administrative, technical, and physical security measures designed to protect your personal data

against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or

use while it is under our control. We maintain authentication procedures when you contact us

by phone or in retail locations to help ensure that access is provided only to the primary account

holder or authorized users of the account. Online access to your personal data is protected

through passwords and other safeguards.”

89. T-Mobile’s sales and marketing materials state, inter alia, “We have implemented

various policies and measures to ensure that our interactions are with you or those you authorize

to interact with us on your behalf – and not with others pretending to be you or claiming a right

to access your information.”

90. T-Mobile’s sales and marketing materials also state that, unless T-Mobile can

verify the caller’s identity through certain personal information or a PIN requested by the

customer, T-Mobile’s policy is not to release any account specific information.

91. Despite these statements and other similar statements and promises, T-Mobile

failed to provide reasonable and appropriate security to prevent unauthorized access to customer

accounts.

16
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 17 of 32

92. Under the inadequate procedures implemented by T-Mobile, unauthorized

persons, including T-Mobile’s own officers, agents, and employees, acting without customer

permission, can authenticate, access, and make changes to information to customer information.

93. T-Mobile failed to disclose or made deceptive statements designed to cover up for

the act that its security procedures can and do fall short of its expressed and implied

representations and promises.

94. Such failures leading to unauthorized access of customer information were

entirely foreseeable by T-Mobile.

95. Buchanan entered into a contract with T-Mobile for wireless cellular service.

96. On or about May 17, 2020, T-Mobile allowed an unauthorized person to access

Buchanan’s T-Mobile account.

97. Thereafter, the unauthorized person was able to gain access to Buchanan’s phone-

based applications, including Telegram.

98. The unauthorized person was able to impersonate Buchanan and engage in

transactions with third parties, including Plaintiff.

99. Plaintiff lost fifteen (15) Bitcoin because of his belief he was doing business with

Buchanan, a loss in excess of $450,000.00.

100. Had T-Mobile not allowed the unauthorized access to Buchanan’s account,

Plaintiff would not have suffered his loss.

101. T-Mobile, by its inadequate procedures, practices, and regulations, engages in

practices which, taken together, fail to provide reasonable, appropriate, and sufficient security to

17
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 18 of 32

prevent unauthorized access to its customers’ wireless accounts, allowing unauthorized persons

to be authenticated, and granting access to sensitive customer account information.

102. In particular, T-Mobile failed to establish and implement reasonable policies,

procedures, and safeguards governing the creation, access, and authentication of user credentials

to access customer accounts, creating an unreasonable risk of unauthorized access.

103. As such, in violation of federal law, T-Mobile has failed to ensure that only

authorized persons have access to customer account data and that customer CPNI is secure.

104. Among other things, T-Mobile:

a. Failed to establish and enforce rules and procedures sufficient to ensure

only authorized persons have access to T-Mobile customer accounts;

b. Failed to establish appropriate rules, policies, and procedures for the

supervision and control of its officers, agents, and employees;

c. Failed to establish and enforce rules and procedures, or provide adequate

supervisions or training sufficient to ensure that its employees and agents

follow such rules and procedures, to restrict access by unauthorized

persons;

d. Failed to establish and enforce rules and procedures to ensure T-Mobile’s

employees and agents adhere to the security instructions of customers with

regard to accessing customer accounts;

e. Failed to adequately safeguard and protect its customers’ wireless

accounts;

18
Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 19 of 32

f. Permitted the sharing of and access to user credentials among T-Mobile’s

agents or employees without a pending request from the customer,

reducing the likely detection of and accountability for unauthorized access;

g. Failed to appropriately supervise employees and agents who granted

unauthorized access to customer accounts;

h. Failed to adequately train and supervise its employees, officers, and agents

to prevent the unauthorized access to customer accounts;

i. Failed to prevent the ability of employees, officers, and agents to access

and make changes to customer accounts without specific customer

authorization;

j. Allowed porting out of cell phone numbers without properly confirming

that the request was coming from legitimate customers;

k. Lacked proper monitoring solutions and therefore failed to monitor its

systems for the presence of unauthorized access in a manner that would

allow T-Mobile to detect intrusions, breaches of security, and unauthorized

access to customer information;

l. Failed to implement and maintain readily available best practices to

safeguard customer information; and

m. Failed to implement and maintain internal controls to help protect against

account takeovers and SIM-swapping by unauthorized persons.

19
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 20 of 32

105. Due to the inadequate security measures, policies, and safeguards employed by T-

Mobile, it created an unreasonable risk of unauthorized access to the accounts of its customers,

including that of Buchanan.

106. Upon information and belief, T-Mobile has been long aware of its inadequate

security measures, policies, and safeguards and, nevertheless, induced customers into believing

that its systems were secure and compliant with applicable law.

107. T-Mobile, despite knowing the risks associated with unauthorized access to

customer accounts, failed to utilize reasonable and available methods to prevent or limit such

unauthorized access.

108. In sum, T-Mobile’s security measures were entirely inadequate to prevent the

foreseeable damage caused to Plaintiff.

109. T-Mobile failed in its duty to protect and safeguard customer information and data

pursuant to federal law.

110. Had T-Mobile implemented appropriate and reasonable security measures,

Plaintiff would not have been damaged.

AS AND FOR A FIRST CAUSE OF ACTION

(Violations of the Federal Communications Act)

111. Plaintiff incorporates herein by reference the claims and allegations set forth

above, inclusive, as fully set forth herein.

112. The FCA regulates interstate telecommunications carriers, including T-Mobile.

20
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 21 of 32

113. T-Mobile is a “common carrier” engaged in interstate commerce by wire for the

purpose of furnishing communication services within the meaning of Section 201(a) of the FCA.

114. As a common carrier, T-Mobile is subject to the substantive requirements of

Sections 201 through 222 of the FCA.

115. Under Section 201(b) of the FCA, common carriers may implement only those

practices, classifications, and regulations that are “just and reasonable” and practices that are

“unjust or unreasonable” are unlawful.

116. Section 206 of the FCA provides:

In case any common carrier shall do, or cause or permit to be done, any act,
matter, or thing in this chapter prohibited or declared to be unlawful, or
shall omit to do any act, matter, or thing in this chapter required to be done,
such common carrier shall be liable to the person or persons injured
thereby for the full amount of damages sustained in consequence of any
such violation of the provisions of this chapter, together with a reasonable
counsel or attorney’s fee, to be fixed by the court in every case of recovery,
which attorney’s fee shall be taxed and collected as part of the costs in the
case.

117. T-Mobile’s conduct, as alleged herein, constitutes a knowing violation of Section

201(b) of the FCA.

118. T-Mobile is also liable for the acts, omissions, and/or failures, as alleged herein, of

any of its officers, employees, agents, or any other person acting for on behalf of T-Mobile.

119. Section 222 of the FCA requires telecommunications carriers, including T-Mobile,

to “protect the confidentiality of proprietary information” of, inter alia, customers.

120. T-Mobile violated its duty under Section 222 of the FCA by failing to protect the

confidentiality of the proprietary information of Buchanan by using, disclosing, or permitting

21
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 22 of 32

access to Buchanan’s CPNI without the consent, notice, and/or legal authorization of Buchanan

as required by the FCA.

121. T-Mobile’s violations under Section 222 allowed unauthorized parties to

impersonate Buchanan in transactions with other parties, including Plaintiff.

122. T-Mobile violated Section 222 by allowing an unauthorized party to access

Buchanan’s CPNI, resulting in the theft by that party or others associated with that party of fifteen

(15) Bitcoin belonging to Plaintiff, valued in excess of $450,000.00.

123. T-Mobile’s conduct as alleged herein constitutes a knowing violation of Section

222 of the FCA.

124. As a direct consequence of T-Mobile’s violations of the FCA, Plaintiff has been

damaged in an amount to be proven at trial but, upon information and belief, exceeds $450,000.00

plus fees and costs, including reasonable attorneys’ fees.

AS AND FOR A SECOND CAUSE OF ACTION

(Violations of the Computer Fraud and Abuse Act)

125. Plaintiff incorporates herein by reference the claims and allegations set forth

above, inclusive, as fully set forth herein.

22
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 23 of 32

126. The CFAA governs those who intentionally access computers without

authorization or who intentionally exceed authorized access18 and as a result of such conduct,

cause damage and loss.

127. As alleged herein, a SIM-swap attack requires the intentional access to customer

computer data by T-Mobile which exceeds its authority, and which conduct causes damage and

loss.

128. As such, T-Mobile is subject to the provisions of the CFAA.

129. T-Mobile’s conduct, as alleged herein, constitutes a knowing violation of the

CFAA.

130. T-Mobile is also liable for the acts, omissions, and/or failures, as alleged herein, of

any of its officers, employees, agents, or any other person acting for on behalf of T-Mobile.

131. T-Mobile violated its duty under the CFAA by exceeding its authority to access

the computer data and breach the confidentiality of the proprietary information of Buchanan by

using, disclosing, or permitting access to Buchanan’s CPNI without the consent, notice, and/or

legal authorization of Buchanan as required by the CFAA.

132. Section 1030(g) of the CFAA provides, in pertinent part:

Any person who suffers damage or loss by reason of a violation of this

section may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief. A
civil action for a violation of this section may be brought only if the conduct
involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of
subsection (c)(4)(A)(i). Damages for a violation involving only conduct
described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No

18As set forth in the CFAA, the term “exceeds authorized access” means to access a computer with
authorization and to use such access to obtain or alter information in the computer that the accesser [sic] is
not entitled so to obtain or alter. 18 U.S.C. §1030(e)(6).

23
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 24 of 32

action may be brough under this subsection unless such action is begun
within 2 years of the date of the act complained of or the date of the
discovery of the damage….

133. Plaintiff alleges he has suffered damages which exceed the threshold of $5,000.00

as required by Section 1030(c)(4)(A)(i)(I) of the CFAA.

134. Plaintiff alleges T-Mobile’s unlawful conduct has caused damage which exceeds

approximately $450,000.00.

135. Plaintiff has brought this claim within two (2) years of the date of discovery of the

damage pursuant to Section 1030(g) of the CFAA.

136. Plaintiff discovered the damage on or about May 19, 2020.

137. Upon information and belief, T-Mobile’s conduct as alleged herein constitutes a

violation of Section (a)(5)(A) of the CFAA.

138. Upon information and belief, T-Mobile’s conduct as alleged herein may constitute

a reckless violation of Section (a)(5)(B) of the CFAA.

139. Upon information and belief, T-Mobile’s conduct as alleged herein may constitute

an intentional violation of Section (a)(5)(C) of the CFAA.

140. As a direct consequence of T-Mobile’s violations of the CFAA, Plaintiff has been

damaged in an amount to be proven at trial but, upon information and belief, exceeds $450,000.00

plus fees and costs, including reasonable attorneys’ fees.

24
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 25 of 32

AS AND FOR A THIRD CAUSE OF ACTION

(Negligence)

141. Plaintiff incorporates herein by reference the claims and allegations set forth

above, inclusive, as fully set forth herein.

142. T-Mobile owes a duty of care to its customers to ensure the privacy and

confidentiality of CPNI during its provision of wireless carrier services, as required by both

federal and state law.

143. T-Mobile owes a duty of care to foreseeable victims who transact business with

legitimate T-Mobile customers or those who they believe to be legitimate T-Mobile customers.

144. By allowing unauthorized access to the personal and confidential information of

legitimate T-Mobile customers, T-Mobile breached its duty of care to its customers and to

foreseeable victims, including Plaintiff.

145. But for the inadequate security protocols, practices, and procedures employed by

T-Mobile in protecting customer data, including Buchanan’s private and confidential

information, Plaintiff would not have suffered damage.

146. Plaintiff has been damaged in an amount equal to fifteen (15) Bitcoin, which, upon

information and belief, is valued in excess of $450,000.00.

AS AND FOR A FOURTH CAUSE OF ACTION

(Violations of the New York Consumer Protection Act – N.Y. Gen. Bus. L. § 349)

25
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 26 of 32

147. Plaintiff incorporates herein by reference the claims and allegations set forth

above, inclusive, as fully set forth herein.

148. NEW YORK GENERAL BUSINESS LAW (GBL), §349(a) provides, in pertinent part, that

“[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the

furnishing of any service in this state are hereby declared unlawful.”

149. GBL §349(h) provides, in pertinent part, that “any person who has been injured by

reason of any violation of this section may bring an action in his own name to enjoin such

unlawful act or practice, an action to recover his actual damages …” including “reasonable

attorney’s fees.”

150. T-Mobile’s acts as alleged herein, including but not limited to its sales and

marketing representations about its level of data security and confidentiality and the measures it

employs to keep customer data secure, induced customers to trade with T-Mobile

notwithstanding T-Mobile’s knowledge that its security protocols and procedures were

inadequate to prevent unauthorized access to customer CPNI.

151. T-Mobile’s acts as alleged herein violated federal and state law, particularly those

related to the safeguarding of customer CPNI and such violations are deemed to be violations of

GBL §349.

152. Given T-Mobile’s superior knowledge of its systems, procedures, and practices,

coupled with its experience with past breaches of data security, Plaintiff was a foreseeable victim

of the violative acts of T-Mobile.

26
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 27 of 32

153. By allowing unauthorized access to Buchanan’s confidential and proprietary

information, T-Mobile facilitated unauthorized third parties to prey upon innocent victims like

Plaintiff.

154. Had T-Mobile not engaged in deceptive acts and practices, Plaintiff would not

have been damaged.

155. Had T-Mobile accurately represented the nature of its security measures, or lack

thereof, Plaintiff would not have conducted business with Buchanan and would not have been

damaged by those who gained unauthorized access to Buchanan’s CPNI from T-Mobile.

156. As a result of T-Mobile’s deceptive acts and practices, as defined by federal and

state law, Plaintiff suffered actual harm in an amount equal to fifteen (15) Bitcoin, valued in excess

of $450,000.00.

157. As a result of T-Mobile’s deceptive acts and practices, Plaintiff is entitled to actual

and statutory damages, including reasonable attorneys’ fees.

AS AND FOR A FIFTH CAUSE OF ACTION

(Negligent Hiring, Retention, and Supervision)

158. Plaintiff incorporates herein by reference the claims and allegations set forth

above, inclusive, as fully set forth herein.

159. At all material times herein, T-Mobile’s agents, officers, and employees, including

those directly or indirectly responsible for or involved in allowing unauthorized access to

27
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 28 of 32

Buchanan’s confidential and proprietary account information, were under T-Mobile’s direct

supervision and control.

160. Upon information and belief, T-Mobile negligently hired, retained, controlled,

trained, and supervised the officers, agents, and employees under its control, and knew or should

have known that such officers, agents, and employees could allow unauthorized access to

customer accounts, including that of Buchanan.

161. Upon information and belief, T-Mobile negligently failed to implement systems

and procedures necessary to prevent its officers, agents, and employees from allowing

unauthorized access to customer accounts, including that of Buchanan.

162. Upon information and belief, T-Mobile’s negligent hiring, retention, control,

training, and supervision allowed the unauthorized access to customer accounts resulting in

damage to T-Mobile customers and foreseeable victims in the public at large, including Plaintiff.

163. Given T-Mobile’s experience with account takeover and SIM-swap attacks, many

of them assisted by the actions of its officers, agents, and/or employees, T-Mobile’s failure to

exercise reasonable care in supervising and controlling its officers, agents, and employees was a

breach of its duty to its customers and to those potential victims, including Plaintiff, with whom

they interacted.

164. T-Mobile’s duty to its customer and foreseeable victims to protect its customer

data from unauthorized access is required by federal and state law.

165. It was entirely foreseeable to T-Mobile that unauthorized persons would attempt

to gain unauthorized access to T-Mobile customer data and, despite this, T-Mobile failed to

28
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 29 of 32

implement sufficient safeguards and procedures to prevent its officers, agents, and employees

from granting such unauthorized access.

166. Upon information and belief, T-Mobile engaged in the acts alleged herein and/or

condoned, permitted, authorized, and/or ratified the conduct of its officers, agents, and

employees.

167. As a direct consequence of T-Mobile’s negligent hiring, retention, control, and

supervision of its officers, agents, and employees who allowed the unauthorized access to

Buchanan’s account, Plaintiff was damaged in an amount to be proved at trial, but, upon

information and belief, an amount that exceeds $450,000.00

AS AND FOR A SIXTH CAUSE OF ACTION

(Gross Negligence)

168. Plaintiff incorporates herein by reference the claims and allegations set forth

above, inclusive, as fully set forth herein.

169. T-Mobile, as required by federal and state law, owed Buchanan and foreseeable

victims a duty to properly handle and safeguard Buchanan’s CPNI and access to his account.

170. Under the FCA, T-Mobile was required to “do any act, matter, or thing in this

chapter required to be done” to ensure its compliance with federal law and to protect the

confidentiality of its customer account data, including that of Buchanan.

29
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 30 of 32

171. Upon information and belief, T-Mobile willfully disregarded and/or showed

reckless indifference to its duties under federal and state law to T-Mobile customers and to

foreseeable victims of T-Mobile’s wrongful acts.

172. Having superior knowledge of prior account takeover attacks on T-Mobile

customers’ data and having the ability to employ internal systems, procedures, and safeguards

to prevent such attacks, T-Mobile nevertheless failed to institute appropriate controls to prevent

unauthorized access to customer accounts, utilized authentication systems it knew or should

have known were vulnerable to account takeover attacks, willfully disregarded the best practices

of the industry in failing to implement systems to thwart such attacks, and failed to appropriately

hire, retain, supervise, train, and control those officers, agents, and employees who could grant

unauthorized access to customer account data.

173. T-Mobile’s policies, procedures, and safeguards were completely ineffective and

inadequate to prevent the unauthorized access to its customers’ data, notwithstanding the

requirements of the CFAA.

174. T-Mobile’s actions as alleged herein, in the face of an abundance of attention by

the media and government regulators, evince a carelessness that can only be characterized as a

complete disregard for the rights of its customers and the foreseeable victims of its inadequate

data security measures.

175. As a consequence of T-Mobile’s gross negligence, Plaintiff has been damaged in

an amount to be proved at trial, but, upon information and belief, an amount that exceeds

$450,000.00.

30
 Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 31 of 32

DEMAND FOR JURY TRIAL

Plaintiff respectfully demands a trial by jury for all issues set forth herein.

PRAYER FOR RELIEF

WHEREFORE Plaintiff prays for judgment against T-Mobile as follows:

1) Enter judgment for Plaintiff on all counts

2) Award compensatory damages to Plaintiff arising from T-Mobile’s negligence;

3) Award punitive damages to Plaintiff due to the willfulness and gross negligence of

T-Mobile’s conduct;

4) Award statutory damages to Plaintiff for T-Mobile’s FCA violations;

5) Award statutory damages to Plaintiff for T-Mobile’s CFAA violations;

6) Award Plaintiff costs and reasonable attorneys’ fees;

7) Award Plaintiff prejudgment interest; and

8) Award Plaintiff such other and further relief as this Court deems just, fair, and

proper.

Dated: February 8, 2021

___________________________________
Jeffrey L. Wilson, Esq. (JW9819)
Henry C. Chan, Esq. (HC4160)

31
Case 1:21-cv-01085 Document 1 Filed 02/08/21 Page 32 of 32

Attorneys for Plaintiff CALVIN CHENG

733 Third Avenue, 16th Floor
New York, NY 10017
jwilson@wilsonchanlaw.com
hchan@wilsonchanlaw.com
Tel. (646) 790-5848

32