Cox Communications reached a $595,000 settlement to resolve whether the company failed to properly protect its customers’ personal information when the company’s electronic data systems ended up breached in 2014.
As a result, third parties had access to the personal information of Cox’s subscribers. Cox has six million subscribers nationwide. Today’s action represents the Federal Communications Commission (FCC) Enforcement Bureau’s first privacy and data security enforcement action with a cable operator.
The Enforcement Bureau’s investigation found Cox’s electronic data systems ended up breached in August 2014 by a hacker using the alias “EvilJordie,” a member of the Lizard Squad group. EvilJordie pretended to be from Cox’s information technology department, and convinced a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a phishing website.
With those credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers of Cox’s cable customers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers. The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords, and shared the compromised account credentials.
The Communications Act requires a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator.
The Enforcement Bureau’s investigation found at the time of the breach, Cox’s relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials. Moreover, the company never reported the breach to the FCC’s data breach portal, as required by law.
As a condition of settlement, Cox will pay a $595,000 civil penalty.
The settlement also requires Cox to identify all affected customers, notify them of the breach, and provide them one year of free credit monitoring. Under the settlement, Cox will adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information and CPNI. The Enforcement Bureau will monitor Cox’s compliance with the consent decree for seven years.