When the question arises about corporations handling the security of personal information, many people feel safe. Recently many doubts started floating around when it became apparent that Facebook was sharing user information with corporations overseas. Unfortunately the mobile giant AT&T was recently involved such events.

On the 15th of August an American investor filed a lawsuit against AT&T in what appeared to be another misuse of personal info. His claim is that the personal information he provided, specifically his phone number, was shared by a company employee, which allowed the hackers to steal $24 million worth of crypto from his accounts.

Michael Terpin is the CEO of TransformGroup. The $24 million worth of cryptocurrencies he lost is the result of two separate attacks, which occurred over the course of a little over 7 months. In his formally filed complaint, he states that the two attacks took place on June 11th 2017 and the 7th of January 2018. The two attacks saw AT&T fail to protect his digital identity. He was a subscriber to AT&T for more than 20 years.

The amount of punitive damages he seeks is $200 million and a $24 million compensation.

AT&T needs to increase monitoring on employees to prevent future cases involving SIM swap

Terpin fell victim to a “port out” scam. This is also known as SIM swapping and in reality is quite simple. The scam requires a provider, in this case AT&T, to transfer the user’s phone number to another SIM card which is property of the attacker/hacker group. When the number is acquired it can be easily used to change the victim’s passwords and use their accounts, including the ones on crypto exchanges.

Due to the relative ease with which the scam is conducted, it has recently become fairly widespread. Cryptocurrency accounts are the most common targets since most users don’t use very strict security measures. There are also cases where the attackers trick users into believing they are in risk and acquire their personal info.

In Terpin’s case, it’s evident there was “inside access” to help with the scam. In June 2017 after realizing his account was hacked, he was informed by AT&T that his password was changed remotely. This was after there were more than 10 attempts in AT&T stores.

His personal info including texts and calls were used to gain access to his other accounts as a means of verification. This also meant his crypto accounts. His skype account was also hacked and was used to ask his clients to send “him” cryptocurrency.

Unfortunately, the access to the accounts was terminated only after he sustained heavy losses. According to the complaint, after the first hack he met with company representatives and discussed more heavy security measures. He was allegedly promised that his account would be given a higher security level combined with special protection like the ones used by celebrities.

AT&T’s way of handling this issue was extremely unprofessional

Needless to say, a few months later those measures didn’t prove useful and Terpin got hacked for a second time. This time it was obvious there was a SIM swap involving a company employee. The second theft amounted to $24 million in crypto and despite his immediate reach out to AT&T, his requests were ignored and that left the attackers enough time to empty his accounts and make safe transfers to their own.

He has also reached out to multiple government agencies such as the United States Secret Service, the FBI and Homeland Security. They have managed to identify the AT&T employee responsible for the attack.

In light of these events, Terpin has stated that he doesn’t give anyone his phone number anymore. Maybe that’s a good strategy to consider until there is more security in guaranteed by companies freely holding out personal info.

You can also check out: