The FCC has been flexing its muscles in 2015 when it comes to enforcing data security requirements. In April, it reached a $25 million settlement with AT&T Services, Inc. for failing to safeguard customers’ personal information. In July, it reached a $3.5 million settlement with TerraCom, Inc. and YourTel America, Inc. to resolve similar claims. Earlier this month, the FCC announced it had reached a $595,000 settlement with Cox Communications, Inc. (“Cox”) to resolve the Enforcement Bureau’s investigation into whether Cox failed to properly protect its customers’ personal information when its data systems were breached in an August 2014 incident. This marks the FCC’s first data security enforcement action against a cable operator.
The August 2014 security breach that drew the Bureau’s attention involved a member of the Lizard Squad hacking group. In a classic “pretexting” attack, the hacker convinced a Cox customer service representative and a Cox contractor over the phone that he was with Cox’s IT department. He then sent them a link to a malicious website that mimicked the look of Cox’s corporate intranet site, where they entered their Cox IDs and passwords. Using this information, the hacker gained unauthorized access to former and current Cox customers’ personally identifiable information, including names, addresses, email addresses, and PINs, as well as partial Social Security numbers and partial driver’s license numbers.
The hacker then proceeded to post some customers’ information on social media sites, change some customers’ account passwords, and share other data to fellow Lizard Squad members. According to the FCC’s consent decree, a total of 61 Cox customers had their data exposed. The resulting FCC fine comes out to almost $10,000 per customer---why so steep? (The $25 million fine the FCC imposed on AT&T came out to roughly $90 per affected customer.)
One reason is that, while Cox promptly reported the incident to the FBI, it never reported the breach to the FCC’s data breach portal. The FCC’s regulations implementing Section 222 of the Communications Act require that breaches be reported to the portal within seven business days; the FCC shares information collected from the portal with the FBI and U.S. Secret Service to facilitate any breach related investigation.
In addition, while the FCC acknowledged that Cox had some defenses in place, it noted that those defenses (as well as related training) were inadequate. “At the time of the breach, Cox employed multifactor authentication for some employees and third party contractors with access to Cox electronic data systems, but not for the compromised employee or contractor,” the FCC noted in the consent decree. “Cox’s internal policies and training programs expressly prohibited Cox employees and third party contractors from disclosing access credentials to anyone and warned against pretexting attacks.” (This last part would seem to help Cox’s case, but the success of the pretexting attack in the face of such warnings and prohibitions likely gave the FCC the impression that Cox’s training and testing programs were not reasonably robust.)
In addition to paying the fine, Cox agreed to identify and notify all affected customers of the breach and provide them with a year of free credit monitoring. Cox also agreed to, among other things:
- Develop and implement a compliance plan;
- Designate a senior corporate manager to serve as a Compliance Officer, who will work with a Chief Privacy Officer (who must be a certified privacy professional), and a Chief Information Security Officer to develop, implement and administer the compliance plan;
- Conduct a comprehensive privacy risk assessment;
- Review and revise its written information security program;
- Maintain policies and procedures for third-party vendor oversight, including multifactor authentication;
- Use multifactor authentication across the company for employees with access to confidential customer information;
- Implement a more robust data breach response plan (including annual test exercises) and subject the plan to third-party review;
- Review and revise its compliance manual; and
- Ensure privacy and security awareness training is provided to employees and third-party vendors.
The FCC will monitor Cox’s compliance with the consent decree for the next seven years.
With this third data privacy enforcement action of 2015, the FCC is sending a clear signal that it intends to aggressively enforce the Communications Act’s requirements that customer information be protected (and that security breaches be promptly reported to the FCC). While Cox’s information security program may have enabled it to limit the incident to a relatively small number of customers, the fact remains that the breach exposed a number of shortcomings. Cox’s customer service representative and third party vendor fell for a classic “pretexting” scam, Cox failed to enact multifactor authentication across the enterprise (which would have helped prevent the hacker’s attack from succeeding), and Cox never reported the breach to the FCC’s data security portal. Unfortunately for Cox, those factors helped make this an “easy” case for the FCC, as well as a cautionary tale for others in the industry.
Add a comment
Archives
- January 2022
- June 2021
- March 2020
- August 2019
- March 2019
- October 2018
- July 2016
- June 2016
- May 2016
- February 2016
- November 2015
- September 2015
- July 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- July 2014
- March 2014
- July 2013
- June 2013
- April 2013
- March 2013
- October 2012
- September 2012
- August 2012
- April 2012
- March 2012
- February 2012
- January 2012
- November 2011
- September 2011
- June 2011
- May 2011
- April 2011
- February 2011
- January 2011
- December 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2006
- February 2006
Recent Posts
- Rethinking Your Cyber Insurance Needs as Your Workplace Evolves
- Data Breach Defense for Educational Institutions
- COVID-19 and the Increased Cybersecurity Risk in a Work-From-Home World
- Like Incorporating Facebook into your Website? EU Decision Raises New Issues
- Lessons Learned: Key Takeaways for Every Business from the Capital One Data Breach
- Will Quick Talks to WRAL About Privacy Issues Related to Doorbell Cameras
- About Us
- Not in My House - California to Regulate IoT Device Security
- Ninth Circuit Says You’re Going to Jail for Visiting That Website without Permission
- Ninth Circuit Interprets “Without Authorization” under the Computer Fraud and Abuse Act
Topics
- Data Security
- Data Breach
- Privacy
- Defamation
- Public Records
- Cyberattack
- FCC Matters
- Reporters Privilege
- Political Advertising
- Newsroom Subpoenas
- Shield Laws
- Internet
- Miscellaneous
- Digital Media and Data Privacy Law
- Indecency
- First Amendment
- Anti-SLAPP Statutes
- Fair Report Privilege
- Prior Restraints
- Education
- Wiretapping
- Access to Courtrooms
- FOIA
- HIPAA
- Drone Law
- Access to Search Warrants
- Access to Court Dockets
- Intrusion
- First Amendment Retaliation
- Mobile Privacy
- Newsroom Search Warrants
- About This Blog
- Disclaimer
- Services