In Fraser v. Mint Mobile, LLC, No. C 22-00138 WHA, 2022 U.S. Dist. LEXIS 76772, at *2 (N.D. Cal. Apr. 27, 2022), Judge Alsup denied summary judgment to a defendant claiming that its data breach did not proximately cause the Plaintiff’s cryptocurrency loss. The facts were as follows:
Defendant Mint Mobile, LLC is a mobile virtual network operator that currently uses T-Mobile’s network infrastructure to provide wireless cellular services to its customers. One of those customers was plaintiff Daniel Fraser. This action involves three incidents that eventually led to the theft of Fraser’s cryptocurrency, held by a non-party cryptocurrency exchange. First, between June 8, 2021, and June 10, 2021, Mint (the mobile carrier) suffered a large-scale data breach. The leak exposed the personal identifying information (PII) of many of its cellphone customers, including their names, addresses, email addresses, phone numbers, account numbers, and passwords. Fraser was one of the customers affected by the breach (Compl. ¶¶ 3, 12). Second, criminals purportedly used the information exposed in the data breach to hijack Fraser’s cellphone service. SIM hijacking represents a growing crime in telecommunications. A subscriber identity module, or “SIM” card, authenticates a cellphone subscription. Switch the SIM card from an old phone into a new phone and the cellular service shifts to the new device. Relevant here, SIM porting, or port-out fraud, is a genus of SIM hijacking where a criminal, posing as the victim, opens an account with a carrier different from that of the hacked carrier and arranges for the victim’s cellular service to be transferred to the new carrier and put under control of the criminal. On June 11, 2021, an unknown criminal ported Fraser’s cellular service with Mint to another service provider, Metro by T-Mobile. Fraser alleges that the earlier Mint data breach exposed all the information needed to port out his service. Additionally, Fraser alleges that, three days before his service was fraudulently ported to the other provider, he had implemented a PIN verification feature on his Mint account to enhance his electronic security with two-factor authentication, i.e., making changes to his account required both a password and a pin verification code. Fraser alleges that Mint bypassed this enhanced security when it allowed the porting out of his account. All of this occurred before Mint notified affected customers of the breach on July 9, 2021 (Compl. ¶¶ 2-6, 37-43, 59-66). Third, Fraser’s cryptocurrency account (with a completely separate firm) was then hacked and his assets stolen. Besides the loss of one’s cell service, port-out fraud places the victim’s other personal accounts at risk as well. Personal accounts — e.g., for email, banking, or cryptocurrency — will often use the account holder’s telephone number as a means for the account holder to recover access to their account when, for example, they forget their password. In many instances, all the account holder needs to do to regain access to their account is verify their identity by entering a pin number automatically sent to their phone via their cellular service (like the pin verification Fraser put on his Mint account). This means once a criminal successfully ports a victim’s cellphone service, the criminal acquires a key to steal the victim’s identity and access a variety of the victim’s accounts (so long as the criminal has other, basic information regarding the victim’s accounts, such as the email address used to maintain the account) (Compl. ¶¶ 1, 49, 59 62-67). Fraser had an account with Ledger, a specific cryptocurrency exchange, where he stored his cryptocurrency. He alleges that the combination of Mint’s data breach (which occurred from June 8 through June 10) and the fraudulent SIM port (which occurred on June 11 at 8:08 a.m.) provided criminals with all the information and access required to hack into and drain his Ledger account (Compl. ¶ 63). As a result, starting on June 11 at 9:19 a.m., a criminal began to drain Fraser’s Ledger account, and eventually stole the equivalent of $466,000.00 in cryptocurrency (Compl. ¶¶ 59-67).
The District Court found that proximate cause of the loss was a question of fact for the jury.
Mint argues the complaint does not adequately connect the dots between its conduct and the theft of Fraser’s cryptocurrency from his Ledger account. Fraser alleges, however, that once a criminal gains access to a victim’s email, it is a straight-forward inquiry to determine what sort of financial accounts the victim maintains. A simple query of the victim’s email account would reveal any number of accounts a criminal could then try to access (id. ¶¶ 59-67). That logical progression suffices. Remember, the criminal began draining Fraser’s Ledger account at 9:19 a.m., just one hour, eleven minutes after the SIM port-out. And the SIM port-out occurred (at most) a few days after the Mint data breach. The allegations of proximate cause here are sufficiently direct and not comparable to the “Rube Goldbergesque system of fortuitous linkages” where California courts have held proximate cause lacking as a matter of law. Steinle v. United States, 17 F.4th 819, 822-23 (9th Cir. 2021). Second, Mint contends the allegations fail due to their reliance upon multiple independent illegal acts of third parties (Br. 9). Under California law: “The defense of superseding cause absolves the original tortfeasor, even though his conduct was a substantial contributing factor, when an independent event subsequently intervenes in the chain of causation, producing harm of a kind and degree so far beyond the risk the original tortfeasor should have foreseen that the law deems it unfair to hold him responsible.” Chanda v. Fed. Home Loans Corp., 215 Cal. App. 4th 746, 755, 155 Cal. Rptr. 3d 693 (2013) (cleaned up). . .Here, “it could hardly be argued that the risk of the harm that befell plaintiffs was as a matter of law unforeseeable.” Lawson v. Safeway Inc., 191 Cal. App. 4th 400, 417, 119 Cal. Rptr. 3d 366 (2010). Fraser alleges that Mint provided criminals with all the information and access they needed to hack his accounts and steal his assets (Compl. ¶ 63). He further explains that SIM hijacking represents a national problem, one that has spurred FCC action (Compl. ¶¶ 68-80). At this posture, given the known threat of SIM hijacking and that Mint purportedly bypassed the pin verification Fraser set up, the complaint plausibly alleges foreseeable acts that do not qualify as superseding causes. Mint disagrees and asserts it “lacks the legal and practical ability to control the acts of criminals” (Br. 10). “However, this expectation does not exonerate a defendant whose ‘conduct has created or increased the risk of harm.'” Lawson, 191 Cal. App. 4th at 418 (quoting Rest. 2d Torts § 449, cmt. a). The modern standard addressed herein does not take the rigid view Mint proposes that criminal acts necessarily constitute superseding causes. See also Bigbee v. Pac. Tel. & Tel. Co., 34 Cal. 3d 49, 58, 192 Cal. Rptr. 857, 665 P.2d 947 (1983); 6 Witkin, Summary of Cal. Law, Torts § 1366 (11th ed. 2021). The opinions that Mint cites are inapposite. For example, the decision in Martinez v. Pacific Bell, 225 Cal. App. 3d 1557, 1565-66, 275 Cal. Rptr. 878 (1990), is distinguishable because, in that matter, plaintiff asserted a telephone company proximately caused his injuries resulting from a robbery because the robbers were attracted to the neighborhood because of a public telephone booth. In contrast, Mint’s conduct here much more directly created or increased the risk of harm. Other cited cases do not address California law or apply the previous standard. See Citizens Bank of Pa. v. Reimbursement Techs., Inc., 2014 U.S. Dist. LEXIS 82098, 2014 WL 2738220, at *3 (E.D. Pa. June 17, 2014) (Judge L. Felipe Restrepo); O’Keefe v. Inca Floats, Inc., 1997 U.S. Dist. LEXIS 17088, 1997 WL 703784, at *4 (N.D. Cal. Oct. 31, 1997) (Judge Vaughn R. Walker); Jesse v. Malcmacher, 2016 U.S. Dist. LEXIS 191944, 2016 WL 9450683, at *10 (C.D. Cal. Apr. 5, 2016) (Judge Stephen V. Wilson). Fraser plausibly alleges that Mint’s data breach and role in the SIM port-out created the opportunity for the cryptocurrency theft. In sum, at least at this stage, where pleadings are liberally construed and the pleader has not yet had an opportunity to obtain discovery, this order holds it was reasonably foreseeable to both plaintiff and defendant that a breach of the type alleged of defendant’s system would pose the risk of a follow-on injury of the type alleged.
The District court found, however, that there was no basis for restitution and, therefore, dismissed the B&P Code 17200 claim.
Second, the complaint fails to adequately state a claim for restitution. In the context of Section 17200, “restitution means the return of money to those persons from whom it was taken or who had an ownership interest in it.” [*12] Shersher v. Super. Ct., 154 Cal. App. 4th 1491, 1497, 65 Cal. Rptr. 3d 634 (2007) (citation and quotation omitted); see also Korea Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1149, 131 Cal. Rptr. 2d 29, 63 P.3d 937 (2003). Here, Fraser vaguely alleges in Count IV that “Plaintiff has lost the benefit of his bargain for his purchased services from Mint that he would not have paid had he known the truth regarding Mint’s inadequate data security” (Compl. ¶ 166). His Section 17200 allegations focus, however, on how the “harm caused by Mint’s actions and omissions . . . is substantial in that it has caused Plaintiff to suffer approximately $466,000.00 in actual financial harm because of Mint’s unfair business practices (id. ¶ 186; see also ¶¶ 165, 194). But a “restitution order against a defendant thus requires both that money or property have been lost by a plaintiff, on the one hand, and that it have been acquired by a defendant, on the other.” Kwikset Corp. v. Super. Ct., 51 Cal. 4th 310, 336, 120 Cal. Rptr. 3d 741, 246 P.3d 877 (2011). It was not Mint that acquired Fraser’s cryptocurrency, but a third-party criminal. Fraser, consequently, has failed to allege he is entitled to restitution from Mint.