Verizon Communications has agreed to a significant $16 million settlement with the Federal Communications Commission (FCC) following a series of data breaches at its subsidiary, TracFone Wireless. The breaches, which occurred between 2021 and 2023, exposed sensitive customer information, including personally identifiable information (PII) and customer proprietary network information (CPNI). This settlement addresses the fallout from three separate incidents that led to unauthorized access to customer data and raised serious concerns about the security of TracFone’s systems.
The first breach, known as the ‘Cross-Brand’ incident, was self-reported by TracFone on January 14, 2022, after the company discovered the breach in December 2021. The investigation revealed that threat actors had exploited vulnerabilities related to authentication and APIs, gaining access to customer data since January 2021. This unauthorized access led to numerous unauthorized number porting requests, further compromising customer security. TracFone’s failure to promptly address these vulnerabilities allowed attackers to exploit these weaknesses extensively.
Following this, two additional breaches involved TracFone’s order websites and were reported on December 20, 2022, and January 13, 2023. In these incidents, unauthenticated threat actors exploited a vulnerability to access order information and other customer data. Despite initial attempts to block the attacks, the attackers employed multiple methods to circumvent security measures. TracFone ultimately implemented a long-term fix for the underlying vulnerabilities by February 2023, but the breaches had already raised significant concerns about the company’s data security practices.
Under the terms of the settlement, Verizon is mandated to implement comprehensive data security measures by February 28, 2025. This includes developing and adhering to a rigorous information security program to address API vulnerabilities, implementing secure authentication for SIM changes and port-out requests, and notifying customers of such requests. Additionally, Verizon will conduct annual information security assessments and engage in independent third-party evaluations every two years to ensure the effectiveness and maturity of its security measures. Annual employee privacy and security awareness training will also be mandated to enhance the company’s capability to protect customer data and adhere to security protocols. These measures aim to strengthen TracFone’s data security infrastructure and prevent future breaches, thereby reinforcing customer trust and compliance with regulatory standards.
Reference:
