A court document that T-Mobile tried to keep confidential has been made public, shedding light on a SIM swap attack that cost a customer millions of dollars. The attack took place in February 2020, when hackers stole cryptocurrency worth nearly $37 million from the victim by taking control of his T-Mobile number. Despite detecting the swap within 16 minutes, T-Mobile failed to secure the account, allowing the cybercriminal to leave a taunting message in the system a week later.
Security Lapses and Lack of Prevention
T-Mobile had been aware of SIM swap attacks since 2016 but failed to prioritize prevention measures. The attack on the victim was made possible by flaws in T-Mobile's authentication process and inadequate employee training. The company's policy favored convenience over security, making it an easy target for hackers. As a result, thousands of T-Mobile customers fell victim to similar attacks over a four-year period.
Legal Ramifications and Compensation
The court document revealed that T-Mobile was held liable for only 50% of the victim's damages, amounting to $26,569,963.60. Despite the significant financial loss, the victim was found to have not taken all necessary steps to prevent the attack. Since then, T-Mobile has implemented stricter security measures and disabled self-service SIM swaps.
