Verizon-owned telecom provider TracFone Wireless has agreed to pay a $16 million civil fine to resolve investigations into three separate data breaches between January 2021 and January 2023. The carrier’s APIs were exploited in the breaches, which allowed hackers to access customer proprietary network information (CPNI) and other personally identifiable information (PII).
The first event was discovered in December 2021 and led to several customer requests to transfer their phone numbers to different carriers, except without authorisation from the affected customers. The other two incidents were related to the carrier’s order website and were reported in December 2022 and January 2023. Threat actors exploited a vulnerability, allowing them to access order information without authentication. This flaw was later fixed in February 2023.

Threat actors had access to TracFone’s customer information between January 2021 and January 2022, during the three breaches. Consequently, the FCC believes TracFone failed to “reasonably protect its customers’ information from unauthorized access in connection with three data breaches.”
Moving forward, in addition to the $16 million civil penalty, TracFone will also have to do the following:
- Implement a mandated information security program with novel provisions to reduce API vulnerabilities in ways consistent with widely accepted standards, like those identified by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP)
- Implement Subscriber Identity Module (SIM) change and port-out protections
- Carry out annual assessments, including by independent third parties, of its information security
program - Provide privacy and security awareness training to employees and certain third parties.
In the News: China-backed APT updates toolkit with new macOS backdoors