Page 1
Ninth Circuit:
Cellular Provider Might Be Liable for Hacking Activity
Opinion Says Claim Against AT&T Mobility Based on Theft of $24 Million in Cryptocurrency Is Viable
By Kimber Cooley, associate editor
|
|
|
MICHAEL TERPIN investor |
The Ninth U.S. District Court of Appeals yesterday partially reinstated an action against a cellular provider brought by a man who had $24 million in cryptocurrency stolen by hackers, holding that a triable issue exists as to whether there was a violation of a federal statute designed to protect the proprietary information of customers.
Providing access to an account—as opposed to directly disclosing customer information—is sufficient to trigger the protections of the statute, the court held.
Appealing a judgment entered in favor of the service provider was Michael Terpin, the founder and CEO of Transform Group, a global advisory investing firm. Terpin is known as the “crypto godfather.”
He sued AT&T Mobility LLC in 2018 after a 15-year-old suburban New York high school student Ellis Pinsky—dubbed “Baby Al Capone” by the New York Post, Rolling Stone, and other publications for his involvement in the scam—bribed Jahmil Smith, an employee at an authorized retailer of the telecommunications giant, to bypass securities measures and conduct a “SIM swap.”
A “SIM swap” occurs when hackers link a victim’s cellular phone number to another subscriber identity module (“SIM”) card, resulting in the unauthorized routing of the customer’s calls and messages to a separate mobile device.
After the swap, Pinsky and his adult co-conspirator Nicholas Truglia requested password reset messages to Terpin’s phone number, which they controlled. They used those messages to access the victim’s online accounts, including a Microsoft OneDrive account containing a document in a trash folder with the trader’s cryptocurrency access credentials.
Truglia was sentenced to 18 months in prison for the theft in 2022. Terpin obtained civil judgments against both hackers—for $22 million against Pinsky and $75.8 million against Truglia.
Communications Act Claim
In addition to various state law fraud and negligence claims, Terpin’s complaint asserts that AT&T violated §222 of the Federal Communications Act (“FCA”).
Sec. 22 provides that telecommunications carriers have “a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers” and prohibits companies from using, disclosing, or permitting access to “customer proprietary network information” (“CPNI”) with few exceptions.
CPNI is defined as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service” that a customer makes “available to the carrier…solely by virtue of carrier-customer relationship.”
District Court Judge Otis D. Wright II of the Central District of California granted summary judgment in favor of the defendant in March 2023. As to the FCA claim, Wright concluded that the undisputed facts establish that the swap did not disclose any information protected under the FCA, saying in the summary judgment order:
“First, the SIM swap itself did not disclose Terpin’s online account information; rather, Pinsky undertook many additional steps, beyond the mere access to the 310 number, to obtain that information….Second,….[t]he SIM swap associated Terpin’s 310 number to a phone in Pinsky’s control; it did not reveal the details of Terpin’s phone bill, user agreement, technical service specifications, call history, data usage, or any other confidential, proprietary information.”
Circuit Judge Roopali H. Desai authored the opinion reversing the judgment as to the FCA claim. Circuit Judge Holly A. Thomas and Senior Circuit Court Judge Richard R. Clifton joined in the opinion.
Permitted Access
Desai noted that “[t]he parties dispute the scope of Section 222” with Terpin contending that the act protects both CPNI and a broader category of customer proprietary information and AT&T arguing for a narrower interpretation. Declining to decide the issue, he wrote that “[e]ven under AT&T’s narrower construction of Section 222, there is a triable issue over whether AT&T ‘permit[ted] access’ to Terpin’s CPNI.”
He explained that CPNI includes “information such as incoming or outgoing communications on a customer’s account; the time, location, frequency, or length of communications on a customer’s account; billing or costs charged to a customer’s account; and any service features associated with a customer’s account.”
The jurist continued:
“The district court focused on whether any CPNI was ‘disclosed’ to Pinsky during the SIM swap. But Section 222…does not merely prohibit the use or disclosure of CPNI, it also prohibits ‘permit[ting] access to’ CPNI….The FCC’s rules implementing Section 222 likewise require that carriers ‘take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.’ Permitting ‘access’ to information is broader than disclosing it: access includes an ‘opportunity’ or ‘ability to’ obtain or use the information.”
Two Ways
Turning to the present case, Desai opined that “[a] jury could…find that AT&T gave hackers access to Terpin’s CPNI in two ways.” The judge wrote:
“First, the SIM swap gave Pinsky ‘access’ to ‘information that relates to…the technical configuration’ of Terpin’s telecommunications service….The technical ‘configuration’ of a customer’s telecommunications service includes the devices associated with that service….”
He added:
“Second, the SIM swap gave Pinsky access to information ‘that relates to’ the ‘type, destination, location, and amount of use of a telecommunications service’ by allowing Pinsky to receive all incoming communications sent to Terpin’s phone number….The district court held that the SIM swap disclosed only Terpin’s phone number, which is not CPNI. But that is an overly simplistic view of a SIM swap. A SIM swap does not merely disclose a phone number—it gives a person control over the phone number and access to any future communications involving that phone number. Terpin pointed to Pinsky’s deposition testimony explaining that, after the SIM swap, he requested password reset messages on Terpin’s Gmail and Microsoft accounts and received those messages on the device he associated with Terpin’s AT&T account.”
Unpersuaded by the defendant’s argument that because “Terpin didn’t generate or request any of those messages,” there was “no customer information for § 222 to protect,” he remarked:
“Not so. Even if Pinsky fraudulently requested the password reset messages from Terpin’s accounts, the messages were intended for Terpin and sent to Terpin’s phone number. A hacker’s fraudulent use of a customer’s account does not transform the customer’s account into the hacker’s account….Even though Pinsky requested the password reset messages, the messages were sent to Terpin’s AT&T phone number and thus were made available to AT&T ‘solely by virtue of the carrier-customer relationship.’ ”
Absurd Results
Pointing to what he claims would be “absurd results” flowing from AT&T’s interpretation, Desai said:
“If Pinsky had walked into the AT&T affiliate store, asked Smith to print Terpin’s recent call log, and looked at the call log, AT&T would not dispute that Pinsky had access to CPNI. Yet under AT&T’s view, Pinsky had no access to CPNI when he walked into the store, updated Terpin’s account to change the SIM associated with Terpin’s phone number, gained control over all incoming communications with Terpin’s phone number, and received confidential password reset messages sent to Terpin’s phone number. Our decision avoids this paradox.”
He noted that Wright did not reach the issue of proximate causation raised by the defendant and “[w]e thus remand to the district court to consider this issue ‘in the first instance.’”
The case is Terpin v. AT&T Mobility LLC, 23-55375.
Copyright 2024, Metropolitan News Company