A court document T-Mobile didn't want customers to see has been made public

T-Mobile had known about SIM swap attacks affecting its customers since 2016. By March 2018, it knew that the attacks caused financial harm to customers.

SIM swap attacks involved a combination of tricking and bribing employees to get into T-Mobile's systems. From 2016 through February 2020, 27,000 T-Mobile customers were victims of such attacks.

The SIM swap community saw T-Mobile as an easy target. The attack on Jones wouldn't have been attempted if he had a different provider, according to one of the hackers.

Publicly available systems and programs were used to perpetrate the crime. The process was freely discussed in Discord chats.

T-Mobile had fewer guardrails than other carriers, and its employees received little training to recognize, prevent, disable, or report such attacks. Once authenticated by T-Mobile, hackers were able to stay logged in for weeks at a time. The company didn't even check for location red flags.

T-Mobile's Terms & Conditions used language that sought to exonerate it from unauthorized breaches. Preventing SIM swaps wasn't a priority for T-Mobile.

T-Mobile employees were aware of the attack on Jones as it was being carried out, but did nothing to stop it. That's because they had known that the same bad actor was previously involved in similar attacks.

 

No attempts were made to disable the SIM card associated with those attacks. Even though T-Mobile's policy said that a SIM deactivated due to fraud couldn't be reused, tools existed to reverse the deactivation. The hacker took advantage of that. T-Mobile had no procedure for permanently deactivating a SIM card associated with fraudulent activity.

T-Mobile defended itself by claiming that at that time it had 53 million customers but only around 100 employees working on fraud prevention.

T-Mobile had a SIM Block feature, but it was only available to customers who had already been victims of SIM swaps. Employees weren't allowed to offer it to customers who inquired about it. The company didn't educate customers about preventing unauthorized SIM Swaps and discouraged employees from spreading awareness about SIM fraud.

Jones was previously encouraged by T-Mobile to set up a security passcode, warned about a number port-out scam, and requested to consider using an alternative to text-for-pin authentication. However, a security password couldn't have necessarily prevented the attack.

It was concluded that "it was foreseeable that T-Mobile’s acts and omissions would result in theft of Jones’s cryptocurrency." However, since Jones didn't do everything in his power to prevent the damage, T-Mobile was only held liable for 50 percent of his damages. As a result, the Arbitrator awarded $26,569,963.60 to Jones.

T-Mobile has, in recent times, beefed up its defence against SIM swap attacks. The company disabled self-service SIM swaps in 2022 and reenabled them only recently.

This may partially explain why the company didn't want the details of the $33 million award to be made public. Regardless, customers should rest easy knowing that such attacks are improbable now, but if something does happen, they can always count on the government to make T-Mobile compensate.