The Federal Communications Commission (FCC) announced a settlement with TracFone Wireless today, concluding investigations into the company’s failure to adequately protect customer information from unauthorized access during three data breaches.
These breaches involved the exploitation of application programming interfaces (APIs), which are tools that enable communication between different computer programs. APIs can access customer information from websites, making them a common target for cyberattacks.
The settlement, known as a Consent Decree, includes measures to strengthen TracFone’s API security. This is crucial because APIs are widespread and frequently targeted by hackers. Loyaan A. Egal, Chief of the Enforcement Bureau and Chair of the Privacy and Data Protection Task Force, emphasized the importance of API security for carriers due to the sensitive customer information they hold.
TracFone, a subsidiary of Verizon Communications since November 2021, offers services through various brands, including Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile. Between January 2021 and January 2023, TracFone experienced three data breaches, exposing customers’ proprietary network information (CPNI) and personally identifiable information (PII), and leading to numerous unauthorized port-outs.
The breaches violated Section 222 of the Communications Act, which requires carriers to protect customer information, and Section 201, which prohibits unjust and unreasonable practices. The FCC expects carriers to take all reasonable precautions to protect customer information and has rules in place to ensure carriers discover, report, and protect against unauthorized access to CPNI.
As part of the Consent Decree, TracFone will pay a $16 million civil penalty and implement several measures to enhance security:
Establish an information security program to reduce API vulnerabilities, following standards from the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP).
Introduce Subscriber Identity Module (SIM) change and port-out protections.
Conduct annual assessments, including independent third-party evaluations, of its information security program.
Provide privacy and security awareness training to employees and certain third parties.
This settlement follows the FCC’s issuance of nearly $200 million in fines against major wireless carriers for illegally sharing customer location information without consent and failing to protect this sensitive data.
In 2023, FCC Chairwoman Jessica Rosenworcel established the Privacy and Data Protection Task Force. This FCC staff working group coordinates the agency’s rulemaking, enforcement, and public awareness efforts regarding privacy and data protection, focusing on data breaches and cybersecurity vulnerabilities in telecommunications providers.