TracFone Wireless has agreed to pay $16m to resolve investigations with the Federal Communications Commission (FCC) over customer protection failures in connection to three data breaches.
The company, a prepay wireless service provider, was found to be failing to protect its customers’ information from unauthorized access via exploitation of application programming interfaces (APIs).
The breaches happened between January 2021 and January 2023, and resulted in the unauthorized access to and exposure of customers’:
- proprietary information;
- certain customer proprietary network information (CPNI);
- personally identifiable information; and
- numerous unauthorized portouts.
“Carriers – and the customer information they have access to – are prime targets for threat actors,” said Loyaan A. Egal, Chief of the Enforcement Bureau and chair of the Privacy and Data Protection Task Force. “The Enforcement Bureau’s investigations and resulting Consent Decree make clear that API security is paramount and should be on the radar of all carriers.”
Violating the Communications Act
With the settlement, called a Consent Decree, TracFone has also agreed to terms to strengthen its API security which the FCC says is “critical because APIs are ubiquitous, and thus are a common attack vector for threat actors.”
That includes a commitment to set a mandated information security program and other protective measures, to have annual assessments, and to have privacy and security awareness training for the employees.
Failing to reasonably secure customers’ proprietary information is a violation of a carrier’s duty under section 222 of the Communications Act, plus constitutes an unjust and unreasonable practice in violation of section 201.
It is also a violation of section 222 to impermissibly use, disclose, or permit access to individually identifiable CPNI without the customer’s approval.
“Carriers – and the customer information they have access to – are prime targets for threat actors.”
Loyaan A. Egal, Chief of the Enforcement Bureau and chair of the Privacy and Data Protection Task Force
Another action was taken against wireless carriers in late April, where FCC fined AT&T, Sprint, T-Mobile, and Verizon (which owns TracFone) close to $200m for illegally sharing access to customers’ location data without their consent. They were also found not to be taking sufficient measures to protect the data against unauthorized disclosure.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them,” said FCC Chairwoman Jessica Rosenworcel.