FCC Fines Cox Over Breach IncidentRegulator Increasingly Cracks Down on Security Shortcomings
Regulators in the United States continue to crack down on security lapses at breached organizations.
In the latest example, the Federal Communications Commission has fined cable TV provider Cox Communications $595,000 and ordered it to implement a seven-year monitoring program after it suffered a data breach at the hands of a well-known hacking group that exposed information on a handful of its customers.
Back in April, the FCC announced a $25 million fine against AT&T after its call center workers stole information on 280,000 customers (see Insider Breach Costs AT&T $25 Million). The FCC has also issued significant fines against a number of other telecommunications firms, including Dialing Services, Sprint, Verizon and TerraCom and YourTel America, all for failing to adequately protect customers' personal information.
Security experts say the penalty against Cox Communications for a relatively small breach incident signals the agency's continuing push to more aggressively enforce U.S. telecommunications regulations, which require that companies "take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator," as well as take "every reasonable precaution" to secure customer data and notify the FCC of any suspected breach.
Lizard Squad Hack
The FCC's civil penalty against Cox stems from an investigation into an August 2014 data breach that allowed an attacker to steal PII.
The breach was perpetrated by "EvilJordie," a member of the hacking group that calls itself Lizard Squad, who used "pretexting" - a form of social engineering - to gain access to Cox's customer databases, the FCC says.
"Specifically, EvilJordie pretended to be from Cox's information technology department and convinced a contractor to enter her account ID and password into a fake, or 'phishing,' website on or about Aug. 7, 2014," the FCC says, noting that a Cox Tech Support representative later fell victim to the same scam. "According to Cox, the phony phishing website appeared to be a Cox website but, in fact, was controlled by EvilJordie."
Cox spokesman Todd C. Smith tells Information Security Media Group that 61 customers were affected by the breach, which compromised names, home addresses, email addresses, phone numbers, partial Social Security and driver's license numbers, as well as other account-related data.
"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," says Travis LeBlanc, who heads the FCC's enforcement bureau. "This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the Web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers' information safe online and off."
Smith says that the company is working to improve its privacy and security practices. "We take our responsibility to protect our customers' personal information very seriously," Smith says. "While we regret that this incident occurred, our information security program ensured that we were able to react quickly and limit the incident to 61 customers. Cox also promptly reported the incident to the FBI and worked closely with them in their investigation, resulting in the arrest of the perpetrator."
FCC Flexes Muscle
The increasing number of enforcement actions by the FCC means the agency has joined the ranks of the Federal Trade Commission, Securities and Exchange Commission and Department of Health and Human Services in cracking down on poor data security or breach-reporting practices (see LifeLock Tentatively Settles with FTC).
But John Pescatore, dean of the SANS Institute, says in a SANS research note that many telecommunications firms are still failing to take seriously the voluntary cybersecurity guidelines that have been advanced by the Communications Security, Reliability and Interoperability Council, which provides related recommendations to the FCC. The group includes representatives from a number of telecommunications and broadcasting firms, as well as civil rights groups, among others.
"Voluntary improvements that have been discussed by CSRIC working groups in this area for close to five years have made little visible progress; perhaps a few enforcement actions will invigorate those efforts," Pescatore says.
Under the terms of its settlement, Cox has agreed to improve its data security and privacy practices in the following ways:
- Appoint a senior corporate privacy manager who's a certified privacy professional;
- Conduct privacy risk assessments;
- Implement a written information security program;
- Improve oversight of third-party vendors;
- Use multi-factor authentication across the enterprise;
- Create and implement a better data breach response plan;
- Provide privacy and security awareness training to employees and third-party vendors.
Cox has also agreed to alert all customers who were affected by the August 2014 breach - although the FCC says Cox notified all but two last year - and now provide them with one year of prepaid credit monitoring. Cox will also provide the FCC with regular updates on its security and privacy program for the next seven years.
The FCC has acknowledged that Cox had some defenses in place, but notes that those defenses - as well as related training - were inadequate. "At the time of the breach, Cox employed multifactor authentication for some employees and third-party contractors with access to Cox electronic data systems, but not for the compromised employee or contractor," the FCC says. "Cox's internal policies and training programs expressly prohibited Cox employees and third party contractors from disclosing access credentials to anyone and warned against pretexting attacks."
Incorrect Breach Response
Security experts say the FCC fine demonstrates the importance of not just taking data security seriously, but also planning in advance for how to react to any suspected data breach. "Organizations must have breach-disclosure processes in place - consistent with disclosure regulations and laws - and a shared, documented understanding of when these processes should come into effect," threat-intelligence firm iSight Partners says in a research note.
Notably, the FCC slammed Cox for failing to follow required procedures in the wake of a breach. Under the Cable Communications Policy Act, any telecommunications provider that suspects it suffered a breach must report that fact within seven days to the FCC, which has created a portal that then shares the information with the FBI and U.S. Secret Service to facilitate any related breach investigation.
The FCC notes that Cox first learned of the Aug. 7, 2014, breach on Aug. 12, following a customer complaining to the company that their information had been posted to a social media site. Cox then notified only the FBI about the breach on Aug. 18.