FCC says three customer data breaches involved exploitation of APIs
Verizon’s TracFone has been fined $16 million as part of a settlement with the Federal Communications Commission related to three breaches involving customer information.
All three of the data breaches involved exploitation of application programming interfaces (APIs), according to the FCC. The exposed users’ information including names, billing addresses, number of lines per account and the features that users had subscribed to, and resulted in unauthorized port-outs.
While the specific number of affected numbers and customers were redacted, according to the FCC order, a “large number” of the affected accounts were no longer active or in service.
In addition to the fine, the terms of the consent decree require that TracFone strengthen its API security. “This is critical because APIs are ubiquitous, and thus are a common attack vector for threat actors,” the agency said in a release. “While APIs greatly improve the modularity and flexibility of software, they dramatically expand the potential attack surface area,” the agency explained in the related order, adding: “The ubiquity of APIs, coupled with their potential proximity to consumer information, make them a common target of attackers and merits increased scrutiny when it comes to security standards.”
According to the FCC, the breaches were discovered between 2021 and 2023. The first incident was a “cross-brand incident” in December 2021 when TracFone received an unusually high number of requests for numbers to be transferred to other service providers, accompanied by customer complaints that those port-outs were not authorized. By January 2022, TracFone was addressing the problem by sending port-out notifications to customers to make sure that port-outs were actually being authorized, and also started requiring randomly generated PINs to validate accounts when a port-out was being made. At that point, TracFone “spent several months investigating, testing, and securing the relevant systems after this attack by the external threat actors and had remediated all vulnerabilities associated with the Cross-Brand Incident in 2022,” according to the FCC.
TracFone then had two other data breach incidents, both of which came through its order websites, which were reported in December 2022 and January 2023. Both of those incidents involved threat actors being able to access order information, including some customer information, without being properly authenticated. After TracFone blocked one method which exploited a vulnerability to get that access, the attacker switched to a different method to get around the new protections. According to the FCC, TracFone “ultimately implemented a longterm fix for the underlying vulnerability by February 2023.”
“Carriers—and the customer information they have access to—are prime targets for threat actors. The Commission takes matters of consumer privacy, data protection, and cybersecurity seriously, including in the context of emerging security issues. The Enforcement Bureau’s investigations and resulting Consent Decree make clear that API security is paramount and should be on the radar of all carriers,” said Loyaan A. Egal, chief of the Enforcement Bureau and chair of the FCC’s Privacy and Data Protection Task Force.
TracFone was acquired by Verizon in late 2021 for about $7 billion and operates multiple brands, including Straight Talk, Total by Verizon Wireless and Walmart Family Mobile. Tracfone is the largest wireless reseller in the U.S. and serves approximately 21 million subscribers.