Skip to content

TracFone fined $16 million by FCC for three data breaches

  • by
  • 2 min read

Verizon-owned telecom provider TracFone Wireless has agreed to pay a $16 million civil fine to resolve investigations into three separate data breaches between January 2021 and January 2023. The carrier’s APIs were exploited in the breaches, which allowed hackers to access customer proprietary network information (CPNI) and other personally identifiable information (PII).

The first event was discovered in December 2021 and led to several customer requests to transfer their phone numbers to different carriers, except without authorisation from the affected customers. The other two incidents were related to the carrier’s order website and were reported in December 2022 and January 2023. Threat actors exploited a vulnerability, allowing them to access order information without authentication. This flaw was later fixed in February 2023.

This is an image of data breach featured cybersecurity 113 e1666861228304

Threat actors had access to TracFone’s customer information between January 2021 and January 2022, during the three breaches. Consequently, the FCC believes TracFone failed to “reasonably protect its customers’ information from unauthorized access in connection with three data breaches.”

Moving forward, in addition to the $16 million civil penalty, TracFone will also have to do the following:

  • Implement a mandated information security program with novel provisions to reduce API vulnerabilities in ways consistent with widely accepted standards, like those identified by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP)
  • Implement Subscriber Identity Module (SIM) change and port-out protections
  • Carry out annual assessments, including by independent third parties, of its information security
    program
  • Provide privacy and security awareness training to employees and certain third parties.

In the News: China-backed APT updates toolkit with new macOS backdoors

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>