A court document revealed failures that harmed T-Mobile users, despite the company's objections.
Hackers chose T-Mobile because it was an easy target.
Although T-Mobile detected and reverted a SIM swap in 16 minutes, it was too late to prevent damages.
For a week after the attack, T-Mobile took no action to secure the account. A week later, the hacker left a note in the internal system boasting about stealing $45 million. T-Mobile was aware of SIM swap attacks affecting customers since 2016 and knew by March 2018 that they caused financial harm, but prevention wasn't a priority.
These attacks involved deceiving or bribing workers to access T-Mobile systems. From 2016 to February 2020, around 27,000 customers were affected.
Hackers viewed T-Mobile as an easy target, with one saying the attack on Jones wouldn't have occurred with a different provider.
Commonly available tools were used in the crime, and the methods were openly discussed in Discord chats.
According to the hacker who stole crypto from Jones, T-Mobile was an easier target because it lacked additional authentication measures like a PIN.
T-Mobile's security was less robust than other carriers, employees had little training for preventing such attacks, and hackers could stay logged in for extended periods without location checks.
A hacker stated that T-Mobile granted broad access rights to retail employees, regardless of tenure, with no apparent limitations on accessing customer accounts.
T-Mobile's terms sought to excuse unauthorized breaches, and preventing SIM swaps wasn't a priority.
T-Mobile employees knew about the attack on Jones as it happened but didn't intervene, aware of the perpetrator's previous involvement in similar attacks.
No attempts were made to disable the SIM card. Though T-Mobile's policy prohibited reusing deactivated SIMs, tools existed to bypass this. The company lacked a process for permanently deactivating SIM cards involved in fraud.
T-Mobile claimed to have 53 million customers but only about 100 employees focused on fraud prevention.
T-Mobile offered a SIM Block feature only to past SIM swap victims and discouraged employees from promoting awareness about SIM fraud or offering the block to concerned customers.
T-Mobile had advised Jones to set up a security passcode and warned him about number port-out scams. However, a passcode wouldn't have necessarily prevented the attack.
The arbitrator concluded that T-Mobile's actions would likely lead to the theft of Jones's cryptocurrency. However, T-Mobile was only responsible for 50% of the damages because Jones didn't take every possible precaution. Consequently, Jones was awarded $26,569,963.60.
Recently, T-Mobile has improved its defenses against SIM swap attacks, disabling self-service SIM swaps in 2022 and only recently re-enabling them.
This may explain why T-Mobile wanted to keep the $33 million award details private. Customers can be assured that these attacks are now less likely, and government intervention can help ensure compensation if they occur.