Liberty Mobile Could Have Prevented Phone Takeover Fraud, Alleges Customer
Four Liberty employees accessed a customer's account about 30 times from December 2020 to June 2022 without her authorization and repeatedly failed to safeguard her personally identifiable information (PII) and customer proprietary network information (CPNI), alleged a SIM swap complaint Monday (docket 3:23-cv-01613) in U.S. District Court for Puerto Rico in San Juan.
Plaintiff Dagyana Ortiz-Nieves, a Puerto Rico resident, was the subject of multiple incidents of harassment, stalking and threats she believes were caused by her former boyfriend, Raul Marrero, against whom she filed a petition for a protective order, the complaint said. From 2020 until recently, Ortiz-Nieves received numerous anonymous calls and threatening texts with her picture, her son discovered a GPS tracking device on her car’s undercarriage and her friends received “tens of calls” presumably generated by Marrero, the complaint said.
Ortiz-Nieves requested numerous times that Liberty open an investigation for unwanted intrusion and violation of her privacy rights in connection with her cellphone account and the carrier’s “reckless and wanton disregard” for her safety, the complaint said. In February 2022, she reported to a Liberty customer service representative that she suspected unauthorized security breaches of her phone account. Liberty records showed Ortiz-Nieves “regularly visited a Liberty store on a monthly basis where she identified herself as the owner/user of Plaintiff's telephone account,” but Ortiz-Nieves had been to a Liberty store only once, the complaint said.
The plaintiff filed a criminal complaint with the Puerto Rico Police Bureau regarding the unauthorized security breaches of her phone account, the complaint said. She also contacted Liberty’s security department and senior management requesting records showing the names of employees responsible for the unauthorized breaches, it said. In addition to some 30 breaches from 2020 to 2022, she learned Oct. 27 that three other unauthorized breaches occurred in January and February of this year, it said.
The complaint cited one form of wireless phone account takeover fraud in which an employee, officer or agent of a wireless carrier breaches company security protocols, gains access to a customer’s wireless phone account without her consent and retrieves CPNI and PII held in an account. In Ortiz-Nieves’ case, Liberty employees “were either part of the act or were simply not trained enough to accurately verify the identity of the unauthorized third-party” who accessed her phone account and retrieved PII and CPNI, the complaint said.
Another form of takeover fraud is a SIM swap, where a third party, with the help of a carrier, is allowed to transfer information from a customer’s cellphone number through the customer’s SIM card to a SIM card controlled by the third party, the complaint noted. Access to the phone number allows the hacker to control the text-based two-factor authentication designed to protect sensitive accounts, such as email and banking. The carrier must actively perform the SIM card reassignment.
“The prevalence of SIM-swap fraud and Liberty’s knowledge of the recurring instances of PII and CPNI data security deficiencies"; unauthorized security breaches of Ortiz-Nieves’ PII and CPNI and her phone account; “recurrent and unwanted calls” to her phone account; and tracking of Ortiz-Nieves through geolocation tracking technology, “performed with the active participation of employees, officers, or agents of Liberty,” demonstrate that what happened to Ortiz-Nieves and her phone account “was neither an isolated incident nor an unforeseeable event,” the complaint said.
If Liberty had implemented “well-established” and “easy-to-implement” security measures, Ortiz-Nieves wouldn’t have been a victim of PII and CPNI security breaches, SIM swaps and the generation of “hundreds of unwanted phone calls," the generation of unwanted calls to her friends’ phones “while in the presence” of Ortiz-Nieves, and the tracking of Ortiz-Nieves through geolocation tracking technology, the complaint said.
The carrier could have sent Ortiz-Nieves a text or email advising her each time there was an unauthorized security breach of her phone account, unwanted calls received at her phone account and “even possibly an unauthorized SIM-swap,” the complaint said. Liberty also could have sent her a text or email asking her to confirm whether she requested a SIM swap, the complaint said. Liberty also could have used voice ID to verify her identity with her voiceprint, it said.
Ortiz-Nieves claims violations of the Communications and Computer Fraud and Abuse Acts, plus negligence. She seeks statutory and compensatory damages of at least $3 million, plus the recovery of punitive damages, court costs and attorneys’ fees. Liberty Mobile didn't comment.