Tracfone Agrees to Pay $16M Fine and Better Secure Customer Data
Tracfone Wireless will pay $16 million and take other steps to resolve investigations into whether it failed to reasonably protect customers’ information from unauthorized access in connection with three data breaches, the FCC said Monday. Verizon is Tracfone's owner. The…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
breaches involved exploitation of application programming interfaces (APIs), the agency said. “The Commission takes matters of consumer privacy, data protection, and cybersecurity seriously, including in the context of emerging security issues,” said Loyaan Egal, chief of the Enforcement Bureau. The investigations and consent decree “make clear that API security is paramount and should be on the radar of all carriers,” Egal added. The breaches occurred between 2021 and last year, according to the consent decree. “While APIs greatly improve the modularity and flexibility of software, they dramatically expand the potential attack surface area,” the decree said: “Without adequate protection, an attacker may be able to make an API request to any one of these components to perform a malicious action or retrieve private information, including consumer information.” Among other things, Tracfone agreed to develop a security compliance plan and implement “a comprehensive information security program,” SIM change and port-out protections. "We're pleased that we were able to reach this settlement to address these past TracFone matters,” a Verizon spokesperson said in an email: “Since we purchased TracFone, our combined cybersecurity teams have been working to enhance its security protocols and extend the same robust protections to all Verizon customer accounts."