The FCC said that Cox Communications has agreed to pay a $595,000 fine, after the agency found that the MSO didn't do enough to protect customers amid a 2014 email security breach.
The FCC's Enforcement Bureau found that Cox's data systems were breached in August 2014 by hacker using the alias EvilJordie, a member of the "Lizard Squad" hacker group. According to the FCC, EvilJordie presented himself as a Cox tech employee and successfully convinced a company customer service rep and a Cox contractor to give up authentication keys that unlocked the sensitive customer data.
This data included customer names, physical addresses, email address, security questions/answers, PINs, and in some cases, Social Security and drivers' license numbers. EvilJordie shared some of the stolen information on social media sites, the FCC said, and also dispersed some of it among other Lizard Squad members.
"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," said Enforcement Bureau Chief Travis LeBlanc. "This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers' information safe online and off."
Cox representatives Todd Smith said in a statement: "Cox's commitment to privacy and data security is a top priority for the company and we take our responsibility to protect our customers' personal information very seriously. While we regret that this incident occurred, our information security program ensured that we were able to react quickly and limit the incident to 61 customers. Cox also promptly reported the incident to the FBI and worked closely with them in their investigation, resulting in the arrest of the perpetrator. We will continue to enhance our privacy and information security programs to protect the personal information that is entrusted to us."
The Communications Act requires cable companies not to disclose personally identifiable information for any subscriber without their prior written consent. Cox's $595,000 fine amounts to a civil penalty. Cox is also required to notify each affected customer and provide them with one free year of credit monitoring.
Cox must also adhere to new data security protocols, including annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems. The FCC will monitor the MSO's compliance with a consent decree for seven years.
Cox isn't the only service provider that has suffered security breaches. A hacker recently broke into the systems of T-Mobile vendor Experian and stole names, birthdates, Social Security Numbers and more from around 15 million people. And in Europe, TalkTalk recently said around 21,000 unique bank account numbers had been accessed by hackers.
- read this FCC announcement
AT&T pushes back on FCC's $100M throttling fine
Cox brings 1 Gbps service to select Providence, RI properties
Cox ordered to pay $6.31M for tying set-top fees to premium video services