Cox To Pay $595,000 to Settle Data Breach Investigation
Cox Communications agreed to pay $595,000 to end an FCC Enforcement Bureau investigation regarding its seeming failure to protect subscribers' personal data from a hacker. The FCC said it was its first privacy and data security enforcement action involving a cable operator. Paul Stephens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse, said he wasn't aware of any others involving any other regulator.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Cox’s electronic data systems were breached in August 2014 by a hacker using the alias EvilJordie, a member of the Lizard Squad hacker group, the bureau said. EvilJordie pretended to be from Cox’s IT department, and convinced a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a phishing website, the FCC said. With that came access to data about Cox subscribers including names and addresses, secret questions and answers, personal identification numbers, in some cases partial Social Security and driver's license numbers, as well as Cox phone customers' customer proprietary network information (CPNI), the FCC said.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” Enforcement Bureau Chief Travis LeBlanc said in a statement. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers’ information safe online and off.”
"Commitment to privacy and data security is a top priority ... and we take our responsibility to protect our customers’ personal information very seriously," Cox said in a statement Thursday. "While we regret that this incident occurred, our information security program ensured that we were able to react quickly and limit the incident to 61 customers. Cox also promptly reported the incident to the FBI and worked closely with them in their investigation, resulting in the arrest of the perpetrator. We will continue to enhance our privacy and information security programs to protect the personal information that is entrusted to us."
The very fact Cox's customer data was breached indicates there is value to that information, meaning a strong possibility other cable companies could see similar breaches, Stephens said. "It's truly a difficult task to have everything locked down to the point intrusions are not the norm," he said. "Almost every system has a point of vulnerability."
The investigation found that Cox at the time of the breach "did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials," the FCC said. Cox also didn't report the breach to the agency's data breach portal, as required, it said.
Along with the $595,000 civil penalty, the settlement also requires the cable company to identify affected customers, notify them of the breach and provide a year of free credit monitoring, as well as to adopt a compliance plan that includes yearly system audits, internal threat monitoring, penetration testing and additional breach notification systems and processes to protect customers’ personal information and CPNI, the FCC said. The bureau will monitor Cox’s compliance for seven years, it said.