Federal Judge Finds Carriers Can Be Subject to FCC Privacy Authorities in Preventing SIM Swap Attacks

Michael Terpin filed a lawsuit against AT&T when it failed to prevent a phone service account takeover that resulted in his cryptocurrency assets being stolen; this cybercrime tactic is known as a SIM swap attack, and his carrier failed to protect Terpin from it twice.

On July 16, 2025, Judge Otis D. Wright II of the Central District of California partially denied AT&T’s renewed motion for Summary Judgment in Michael Terpin v. AT&T, finding that FCC privacy authorities applied to the carrier in the context of SIM swap attacks. This order rejected carrier arguments that carriers should not be held liable for their cybersecurity deficiencies when a third party criminal actor uses their systems and staff to effectuate fraud.

Section 222 of the Communications Act confers an obligation on carriers to protect the data of their subscribers, including Customer Proprietary Network Information (CPNI). The Federal Communications Commission has also enacted rules that impose additional CPNI safeguards on carriers. The court found that the harm alleged (cryptocurrency loss) was reasonably foreseeable and within the scope of risk from violating Section 222. The court also found that a carrier disclosing a subscriber’s CPNI without authorization, for example by facilitating a SIM swap attack, violates the statute and the FCC regulations in precisely the way those laws were designed to prevent harm to subscribers, especially as those laws contemplate bad actor fraud as a potential harm resulting from unauthorized CPNI disclosure.

Judge Wright wrote that:

“Whether considering foreseeability, direct relationship, or some combination of the two, a reasonable juror could conclude that the undisputed events leading from the SIM swap to the theft of Terpin’s cryptocurrency demonstrates the essential hallmarks of proximate cause.”

Because this case is at the summary judgment stage, the court assumed that the facts would show that the carrier did violate the law. The court also granted AT&T’s motion for summary judgment on the question of vicarious liability, as the employee was not advancing the interests of AT&T per applicable state law.

EPIC regularly submits amicus briefs and regulatory comments related to deficient data security practices. EPIC filed the initial 2005 petition that gave rise to Federal Communications Commission’s (FCC’s) 2007 CPNI Order which imposed more explicit obligations on telecom carriers to protect consumers from scammers who would defraud them by exploiting their carrier’s weak cybersecurity practices.