By Hannah Lepow
Yesterday the FCC announced that it has entered into a $595,000 settlement agreement with Cox Communications to resolve an investigation into whether the company failed to protect its customers’ personal information when it suffered a data breach in 2014. This is the first privacy and data security enforcement action the FCC Enforcement Bureau has brought against a cable operator.
The Enforcement Bureau’s investigation found that Cox’s electronic data systems were breached last August by a hacker pretending to be from Cox’s IT department, who convinced a Cox customer service representative and a Cox contractor to enter their account IDs and passwords into a phishing website. The hacker gained access to data including cable customer names, addresses, email addresses, and partial Social Security and driver’s license numbers and telephone customers’ Consumer Proprietary Network Information (CPNI). The hacker — a member of the “Lizard Squad” hacker group — posted some of this personal information on social media sites, changed customer account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.
The Enforcement Bureau found that Cox’s data security systems at the time of the breach did not include several measures that might have prevented the use of compromised credentials to access personal data. Cox did not report the breach to the FCC’s CPNI data breach portal.
In addition to the $595,000 civil penalty, the settlement also requires Cox to adopt a comprehensive compliance plan that the FCC will monitor for the next seven years. Under this plan, Cox will be required to establish an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information and CPNI. Cox also will identify affected customers, notify them of the breach, and provide them with one year of free credit monitoring.