T-Mobile was ordered to pay $33 million in a private arbitration settlement following a SIM swap attack. This attack led to the theft of cryptocurrency from victim Joseph “Josh” Jones, who had his phone number hijacked. A T-Mobile employee transferred Jones’ phone number to a SIM card controlled by a hacker on February 21, 2020. Despite Jones having strong security, such as an eight-digit PIN, attackers bypassed protections, pointing to failures in T-Mobile’s systems.
The lawsuit, handled by the law firm Greenberg Glusker, revealed that multiple security failures by T-Mobile led to the attack.
The carrier’s mishandling of customer data and inadequate protections were blamed for the breach. The court ruling highlighted the need for improved telecom security, especially regarding SIM swap attacks, which have been a persistent vulnerability for years. T-Mobile attempted to keep the details of the incident under wraps, but the ruling eventually came to light in 2023.
The attack resulted in the theft of over 1,500 Bitcoin and 60,000 Bitcoin Cash, valued at $38 million at the time.
The hack was carried out by a 17-year-old hacker with ties to other notable cybercriminals involved in high-profile hacks, including the infamous 2020 Twitter hack. This attack, which involved hijacking accounts of prominent figures like Elon Musk and Bill Gates, further exposed the risks of SIM swapping.
SIM swapping has been a known security flaw for years, with all U.S. wireless carriers vulnerable to it. This recent arbitration ruling serves as a reminder that telecom companies must address this issue to prevent further incidents. Following the ruling, the Federal Communications Commission (FCC) has introduced new rules, and collaborations with major carriers like T-Mobile aim to bolster protections for customers.
Reference:
