The Federal Communications Commission (FCC) today announced a settlement with TracFone Wireless, closing its investigation into the company’s failure to adequately protect customer information from unauthorized access during three data breaches.
These breaches involved the misuse of application programming interfaces (APIs), tools that allow communication between different computer programs. APIs are a popular target for cyber attacks because they allow websites to access customer information.
The settlement, known as a consent decree, includes measures to strengthen TracFone’s API security, which is critical because APIs are widespread and often targeted by hackers. Director of Enforcement and Chair of the Privacy and Data Protection Task Force Loyaan A. Egal emphasized the importance of API security given the sensitive customer information held by carriers.
TracFone, a subsidiary of Verizon Communications since November 2021, offers services through a variety of brands, including Straight Talk, Total by Verizon Wireless and Walmart Family Mobile. Between January 2021 and January 2023, TracFone experienced three data breaches that exposed customer proprietary network information (CPNI) and personally identifiable information (PII) and caused numerous unauthorized port-outs.
This breach violates Section 222 of the Communications Act, which requires carriers to protect customer information, and Section 201, which prohibits unreasonable and unreasonable practices. The FCC expects carriers to take all reasonable precautions to protect customer information and has rules in place to help carriers detect, report, and protect against unauthorized access to CPNI.
As part of the consent decree, TracFone will pay a $16 million civil penalty and implement several measures to enhance security.
Establish an information security program to mitigate API vulnerabilities following standards from the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP).
Introduce Subscriber Identity Module (SIM) change and port-out protection.
Conduct an annual evaluation, including an independent third-party assessment, of your information security program.
Provide privacy and security awareness training to employees and certain third parties.
The settlement comes after the FCC fined major wireless carriers approximately $200 million for illegally sharing customer location information without consent and failing to protect this sensitive data.
In 2023, FCC Chairman Jessica Rosenworcel established the Privacy and Data Protection Task Force, an FCC staff working group that focuses on data breaches and cybersecurity vulnerabilities at communications providers and coordinates the FCC’s rulemaking, enforcement, and public awareness efforts on privacy and data protection.
