As to the particulars of what happened, Terpin’s complaint lays out how he was the victim of digital identity theft when someone managed to take control over his phone number without having to provide the requisite forms of identification. With possession of the number in tow, the hackers ultimately managed to access his cryptocurrency accounts and wipe them clean.
The complaint, which can be read in its entirety over here, reads in part:
By obtaining control over Mr. Terpin’s phone, the hackers diverted Mr. Terpin’s personal information, including telephone calls and text messages, to get access to accounts that use telephone numbers as a means of verification or authentication.
After the hackers took charge of Mr. Terpin’s telephone number, the hackers accessed Mr. Terpin’s telephone to divert texts and telephone calls to gain access to Mr. Terpin’s cryptocurrency accounts. The hackers also used the phone to hijack Mr. Terpin’s Skype account to impersonate him. By that means, the hackers convinced a client of Mr. Terpin to send them cryptocurrency and diverted a payment due to Mr. Terpin to themselves. AT&T finally cut off access by the hackers to Mr. Terpin’s telephone number on June 11, 2017, but only after the hackers had stolen substantial funds from Mr. Terpin.
The crazy part is that all of the above happened 5 months before the $24 million theft took place. Terpin claims that after the initial breach, he was promised “the highest level of security for his account.”
Even after AT&T had placed vaunted additional protection on his account after an earlier incident, an imposter posing as Mr. Terpin was able to easily obtain Mr. Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password.
The purloined telephone number was accessed to hack Mr. Terpin’s accounts, resulting in the loss of over $24 million of cryptocurrency coins.
Consequently, Terpin places the blame squarely on AT&T because it transferred control of his number without following its stated security procedures, even when it was well aware that he was a high-profile target. The damages sought include the $24 million Terpin lost and $200 million in punitive damages which, as the complaint notes, “might attract the attention of AT&T’s senior management long enough to spend serious money on an acceptable customer protection program and measures to ensure that its own employees are not complicit in theft and fraud.”
A press release regarding the suit can be viewed over here.
Commenting on the matter, an AT&T spokesperson issued the following statement on the lawsuit: “We dispute these allegations and look forward to presenting our case in court.”