T-Mobile does not have to compensate the victim of SIM swapping after a cybercriminal stole almost 17,500 euros in cryptocurrency. According to the judge, there is no direct connection between taking over the victim’s telephone number and the theft of cryptocurrency. The perpetrator had to take several hurdles to gain access to the victim’s crypto wallets.
T-Mobile made a SIM swap mistake
In May 2020, the plaintiff took out a subscription with T-Mobile. Almost a year later, in February 2021, to be exact, a scammer managed to take control of his phone number. We also call this SIM swapping. For this he called on the chat function on the telecom company’s website.
To establish the applicant’s identity for the SIM swap, the T-Mobile employee asked several questions. The employee asked for his last name, zip code, date of birth and mobile number. All these questions the scammer answered correctly. Two more check questions followed: from which bank account was the subscription fee debited and what was the amount on the last invoice?
The first control question was answered correctly. The scammer did not know the answer to the second question. He said, “I don’t know the exact amount, but it is always around 25 euros”. The answer was wrong because the provider had charged 19.99 euros just before. Nevertheless, the T-Mobile employee accepted the answer and authorized the SIM swap.
T-Mobile offers ‘out of leniency’ compensation of 500 euros
At the time the scammer performed the SIM swap, the victim had crypto wallets with multiple trading platforms. He had secured access to these accounts with two-factor authentication. For this, he used the authentication app Authy. In addition to a username and password, you need an access code to access your crypto wallet. Authy generates a new temporary access code every thirty seconds.
After the successful sim swap, the cybercriminal managed to steal crypto worth 17,485.43 euros. By registered letter, the victim held T-Mobile responsible for the financial damage. He argued that the theft could have occurred because the telecom company had not correctly followed its own protocol for establishing a customer’s identity.
The telecom company responded to the letter with the proposal to reimburse an amount of 500 euros ‘out of leniency’. The ensuing correspondence failed to bring both sides to an agreement. To substantiate his story, the victim called in ICTRecht BV in December 2021. The consultancy released a report on how the SIM swap fraud had taken place.
Victim: ‘T-Mobile violated GDPR’
The victim filed a lawsuit against T-Mobile to enforce compensation. During the hearing, he argued that T-Mobile had granted third-party access to his personal data and that the company had not taken appropriate security measures. This is contrary to Article 4, paragraph 12 and Article 6, paragraph 1 of the General Data Protection Regulation (GDPR).
The victim demanded that T-Mobile reimburse the full amount of the damage, including legally owed interest, extrajudicial costs and expertise costs. This amounts to an amount of more than 25,000 euros.
Judge: ‘T-Mobile fell short, but only has to reimburse 500 euros’
T-Mobile defended itself by saying that there is “no direct connection” between having the victim’s phone number and stealing his cryptocurrency “because the criminal still had to take several hurdles to steal the cryptos, namely taking over the claimant’s Hotmail account, access to the Authy app and access to the crypto wallets”. A telephone number and e-mail address alone were not enough to carry out the theft. The telecom company also accused the victim of insufficiently securing his accounts.
In its judgment, the court acknowledges that T-Mobile should have refused the SIM swap because the last control question had not been answered correctly. On that point, the provider has ‘culpably failed’ and has acted unlawfully towards its customer.
At the same time, the court believes that T-Mobile may invoke the limitation of liability laid down in the general terms and conditions. It states that the provider must reimburse an amount of up to 500 euros per event if the company has fallen short. The court is of the opinion that this compensation amount is “necessary, appropriate and proportionate”.
T-Mobile does not have to reimburse the costs for the consultancy from the court. This also applies to the costs incurred by the victim to bring the case to court.