The Supreme Court of Justice of the Nation (SCJN) raised alarms on cybersecurity by recognizing the severity of the fraud known as SIM swapping. This occurred after a telecommunications company improperly handed a SIM card to a third party, allowing access to a user's personal information, digital accounts, and sensitive data in Mexico City. The case, which led to the dissemination of private information and a bank fraud attempt, led the Supreme Court to determine that the company incurred civil liability for negligence in the line replacement process.
Identity theft via mobile telephony According to the resolution, the fraud consisted of delivering a SIM card to a person other than the line holder, which allowed taking control of the phone number, used as a verification method for banking services and digital platforms. This practice facilitated improper access to personal accounts, as well as to private content, evidencing the risks posed by the breach of authentication systems linked to mobile telephony.
Security protocol failures The SCJN concluded that the telephone company did not prove it had met the minimum identity verification standards when changing the SIM. Among the irregularities detected, the lack of clear records on the identification presented, absence of documentary evidence, and the non-existence of additional validation mechanisms were noted. For the Court, these omissions constitute negligent conduct that violates the privacy, personal data, and patrimonial security of users.
Impact on the victim and judicial criteria The Plenum recognized that the victim suffered damage to her dignity, private life, and emotional stability, derived from both the loss of control over her line and the dissemination of intimate content. It also rejected arguments that held the victim responsible for the use of her data or storage of personal information, by emphasizing that companies have a position of guarantor in protecting users.
New obligations for telephone companies As part of the resolution, the Court established strict criteria for telecommunications companies when replacing SIM cards. Among them are in-person verification with official identification, data cross-referencing with contractual records, application of security questions, and generation of documentary evidence of the process. Additionally, it was recommended to implement additional mechanisms, such as notifications to the original holder, to prevent improper access.
Cybersecurity and corporate responsibility The SCJN's resolution places SIM swapping fraud as a real risk within the digital ecosystem, by showing how a failure in security protocols can lead to high-impact crimes. The ruling also reinforces the obligation of telecommunications companies to protect users' personal data and privacy, in a context where the mobile phone has become the key to digital life. The case was referred to the Public Ministry to investigate possible criminal liabilities, opening the door to new judicial actions in cyberfraud and identity theft.
