Fraser v. Mint Mobile, LLC
| Decision Date | 27 April 2022 |
| Docket Number | C 22-00138 WHA |
| Parties | DANIEL FRASER, Plaintiff, v. MINT MOBILE, LLC, Defendant. |
| Court | U.S. District Court — Northern District of California |
Hackers took cell phone users' information from their carrier and this information was used to port plaintiff's cellular service to another carrier whereupon a criminal pretending to be plaintiff acquired access to and then drained plaintiff's cryptocurrency account maintained by a cryptocurrency exchange. The issue is the extent to which the carrier is liable for the lost funds once held by the cryptocurrency exchange. For the following reasons, the motion to dismiss is GRANTED IN PART and DENIED IN PART.
Defendant Mint Mobile, LLC is a mobile virtual network operator that currently uses T-Mobile's network infrastructure to provide wireless cellular services to its customers. One of those customers was plaintiff Daniel Fraser. This action involves three incidents that eventually led to the theft of Fraser's cryptocurrency held by a non-party cryptocurrency exchange.
First between June 8, 2021, and June 10, 2021, Mint (the mobile carrier) suffered a large-scale data breach. The leak exposed the personal identifying information (PII) of many of its cellphone customers, including their names, addresses, email addresses, phone numbers, account numbers, and passwords. Fraser was one of the customers affected by the breach (Compl. ¶¶ 3, 12).
Second, criminals purportedly used the information exposed in the data breach to hijack Fraser's cellphone service. SIM hijacking represents a growing crime in telecommunications. A subscriber identity module, or “SIM” card, authenticates a cellphone subscription. Switch the SIM card from an old phone into a new phone and the cellular service shifts to the new device.
Relevant here, SIM porting, or port-out fraud, is a genus of SIM hijacking where a criminal, posing as the victim, opens an account with a carrier different from that of the hacked carrier and arranges for the victim's cellular service to be transferred to the new carrier and put under control of the criminal. On June 11, 2021, an unknown criminal ported Fraser's cellular service with Mint to another service provider, Metro by T-Mobile. Fraser alleges that the earlier Mint data breach exposed all the information needed to port out his service. Additionally, Fraser alleges that, three days before his service was fraudulently ported to the other provider, he had implemented a PIN verification feature on his Mint account to enhance his electronic security with two-factor authentication, i.e., making changes to his account required both a password and a pin verification code. Fraser alleges that Mint bypassed this enhanced security when it allowed the porting out of his account. All of this occurred before Mint notified affected customers of the breach on July 9, 2021 (Compl. ¶¶ 2-6, 37-43, 59-66).
Third, Fraser's cryptocurrency account (with a completely separate firm) was then hacked and his assets stolen. Besides the loss of one's cell service, port-out fraud places the victim's other personal accounts at risk as well. Personal accounts - e.g., for email, banking, or cryptocurrency - will often use the account holder's telephone number as a means for the 2 account holder to recover access to their account when, for example, they forget their password. In many instances, all the account holder needs to do to regain access to their account is verify their identity by entering a pin number automatically sent to their phone via their cellular service (like the pin verification Fraser put on his Mint account). This means once a criminal successfully ports a victim's cellphone service, the criminal acquires a key to steal the victim's identity and access a variety of the victim's accounts (so long as the criminal has other, basic information regarding the victim's accounts, such as the email address used to maintain the account) (Compl. ¶¶ 1, 49, 5962-67).
Fraser had an account with Ledger, a specific cryptocurrency exchange, where he stored his cryptocurrency. He alleges that the combination of Mint's data breach (which occurred from June 8 through June 10) and the fraudulent SIM port (which occurred on June 11 at 8:08 a.m.) provided criminals with all the information and access required to hack into and drain his Ledger account (Compl. ¶ 63). As a result, starting on June 11 at 9:19 a.m., a criminal began to drain Fraser's Ledger account, and eventually stole the equivalent of $466, 000.00 in cryptocurrency (Compl. ¶¶ 59-67).
Fraser filed this lawsuit to hold Mint responsible for its purported role in the theft of his cryptocurrency. Fraser broadly asserts claims for violation of the Federal Communications Act, violations of California Business & Professions Code Section 17200, negligence, and breach of contract. He does not assert his claims on behalf of a putative class. Now, Mint moves to dismiss the complaint for failure to state a claim. At the hearing, Mint withdrew its motion to dismiss the prayer for injunctive relief pursuant to the Federal Communications Act as well as its motion to compel arbitration. This order follows full briefing and oral argument.
A motion to dismiss tests the legal sufficiency of the complaint. To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain sufficient factual matter accepted as true, to state a claim for relief that is plausible on its face. A claim is facially plausible when there are sufficient factual allegations to draw a reasonable inference that the defendant is liable for the misconduct alleged. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). While a court must take all of the factual allegations in the complaint as true, it is “not bound to accept as true a legal conclusion couched as a factual allegation.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). “Factual allegations must be enough to raise a right to relief above the speculative level.” Ibid.
1. PROXIMATE CAUSE (ALL COUNTS).
Mint argues that the complaint fails to adequately allege the data breach and SIM port proximately caused the theft of Fraser's cryptocurrency from a third-party, and that the complaint should be dismissed in its entirety (Br. 6). This order disagrees.
“It is a well established principle of the common law that in all cases of loss, we are to attribute it to the proximate cause, and not to any remote cause.” Bank of Am. Corp. v. City of Miami, 137 S.Ct. 1296, 1305 (2017) (cleaned up). Generally, the proximate cause requirement “bars suits for alleged harm that is ‘too remote' from the defendant's unlawful conduct.” Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 133 (2014). Under California law, proximate cause has two aspects. The First is cause in fact, sometimes referred to as but-for causation. Under the substantial factor test, which generally subsumes but-for causation, a cause in fact is an act or omission that was a substantial factor in bringing about the plaintiff's harm. The Second aspect of proximate cause incorporates considerations of public policy. “These additional limitations are related not only to the degree of connection between the conduct and the injury, but also with public policy.” State Dep't of State Hosps. v. Super. Ct., 61 Cal.4th 339, 352-53 (2015) (quotation omitted); Frausto v. Dep't of Cal. Highway Patrol, 53 Cal.App. 5th 973, 996 (2020). State Hosps., 61 Cal.4th at 353 (cleaned up).
First, Mint argues that “holes in [p]laintiff's conclusory chain of causation overcome proximate causation” (Br. 8). The complaint, however, adequately explains how the combination of Mint's data breach and the SIM port-out gave criminals the information and access needed to drain Fraser's Ledger account. The data breach exposed, among other information, Fraser's name, address, telephone number, email address, and Mint password. Moreover, the data breach did not merely expose some of Fraser's PII, it purportedly revealed the specific PII necessary for a criminal to port out Fraser's wireless service to an account under the criminal's control (Compl. ¶¶ 61-63).
Mint argues the complaint does not adequately connect the dots between its conduct and the theft of Fraser's cryptocurrency from his Ledger account. Fraser alleges, however, that once a criminal gains access to a victim's email, it is a straight-forward inquiry to determine what sort of financial accounts the victim maintains. A simple query of the victim's email account would reveal any number of accounts a criminal could then try to access (id. ¶¶ 5967). That logical progression suffices. Remember, the criminal began draining Fraser's Ledger account at 9:19 a.m., just one hour, eleven minutes after the SIM port-out. And the SIM port-out occurred (at most) a few days after the Mint data breach. The allegations of proximate cause here are sufficiently direct and not comparable to the “Rube Goldbergesque system of fortuitous linkages” where California courts have held proximate cause lacking as a matter of law. Steinle v. United States, 17 F.4th 819, 822-23 (9th Cir. 2021).
Second Mint contends the allegations fail due to their reliance upon multiple independent illegal acts of third parties (Br. 9). Under California law: “The defense of superseding cause absolves the original tortfeasor, even though his conduct was a substantial contributing...
To continue reading
Request your trial