YOU ARE AT:PolicyCox data breach results in FCC fine

Cox data breach results in FCC fine

FCC fines Cox for 2014 data breach orchestrated by ‘Lizard Squad’ hacker group

Cox Communications agreed to pay a $595,000 fine to the Federal Communications Commission tied to a 2014 data breach that exposed customers’ personal information to third parties.

The FCC said the settlement with Cox to “resolve an investigation into whether the company failed to properly protect its customers’ personal information when the company’s electronic data systems were breached in 2014” was the first action by the government agency tied to privacy and data security enforcement against a cable operator.

According to the FCC investigation, Cox’ electronic data systems were breached in August 2014 by a hacker using the alias “EvilJordie” and aligned with the “Lizard Squad” group. The hacker is said to have impersonated Cox’s information technology department and convinced a Cox customer service representative and a Cox contractor to enter their account identifications and passwords into a “phishing” website. The hacker used those credentials to gain access to personal identification information of Cox cable customers, including names, addresses, email addresses, secret questions/answers, personal identification numbers and in some cases partial Social Security and driver’s license numbers. The hacker also was able to access customer proprietary network information of Cox telephone customers.

Some of that information was posted on social media sites, was used to change customers’ account passwords and shared with other alleged members of the Lizard Squad hacker group.

The FCC said its Enforcement Bureau found Cox’s data security systems “did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials,” and that Cox never reported the data breach to the FCC as required by law.

In addition to the fine, Cox is also required to identify and notify impacted customers, providing them with one year of free credit monitoring. Cox is also required to adopt a “comprehensive” compliance plan establishing an information security program with annual system audits, internal threat monitoring, penetration testing, and further breach notification systems and processes designed to protect customer information. The FCC added it will monitor compliance for seven years.

“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Travis LeBlanc, Enforcement Bureau chief at the FCC. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the Web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers’ information safe online and off.”

Fellow cable television provider Comcast in September agreed to pay a $33 million fine related to the public posting of data from 75,000 customers. The fine was levied by the California Department of Justice and California Public Utilities Commission, and included $25 million in fines and costs to the state, plus $8 million in restitution to customers.

T-Mobile US reported last month that one of its vendors had been hit by hackers in an attack that includes personal identification information for approximately 15 million people who applied for postpaid services or device financing between Sept. 1, 2013, and Sept. 16, 2015. The carrier noted those impacted could include people who did not become T-Mobile US customers.

Bored? Why not follow me on Twitter

Photo copyright: logo3in1 / 123RF Stock Photo

ABOUT AUTHOR