"Council then took the spoofed ID card and entered one of AT&T's retail stores in Huntsville to acquire a SIM linked to the victim's account, says the complaint."
It is interesting to me that this was fundamentally a social engineering attack rather than a technical one, and was actually conducted in-person rather than remote/electronically.