Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

FCC Fines Cox for Lizard Squad Hack

Broadband communications company Cox has agreed to pay a heavy fine to settle allegations by the Federal Communications Commission (FCC) that it had failed to protect customers’ personal information.

Cox has agreed to pay a $595,000 settlement as part of what the FCC calls its first privacy and data security enforcement action against a cable operator.

Broadband communications company Cox has agreed to pay a heavy fine to settle allegations by the Federal Communications Commission (FCC) that it had failed to protect customers’ personal information.

Cox has agreed to pay a $595,000 settlement as part of what the FCC calls its first privacy and data security enforcement action against a cable operator.

The FCC launched an investigation after a hacker known as “EvilJordie,” a member of the notorious Lizard Squad collective, hacked into Cox’s systems following a successful social engineering attack.

Pretending to be a staff member from the company’s IT department, the attacker convinced a Cox customer service representative and a contractor to enter their usernames and passwords on a phishing website. The hacker used the stolen credentials to access customer information, including names, email addresses, addresses, PINs, and in some cases social security and driver’s license numbers.

EvilJordie changed some of the affected customers’ passwords, and posted some of the stolen information on social media websites.

Cybercrime blogger Brian Krebs, who was one of the victims of this attack, reported that he and 60 other Cox customers were affected by the incident.

“The Communications Act requires that a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator,” the FCC said.

“The Enforcement Bureau’s investigation found that, at the time of the breach, Cox’s relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials. Moreover, the company never reported the breach to the FCC’s data breach portal, as required by law,” the agency added.

Advertisement. Scroll to continue reading.

In addition to paying the $595,000 fine, Cox will also have to identify customers affected by the August 2014 breach, notify them, and provide them one year of free credit monitoring. The company will also have to establish an information security program that includes penetration testing, additional breach notification systems, annual audits, and internal threat monitoring.

“It’s too bad that it takes incidents like this to get more ISPs to up their game on security. It’s also too bad that most ISPs hold so much personal and sensitive information on their customers,” Krebs noted in a blog post on Friday.

Earlier this year, the FCC announced that AT&T had agreed to pay a $25 million fine after it was discovered that some of the company’s call center employees had accessed customer records and distributed the information to unauthorized third parties.

Related Reading: TalkTalk Now Says Only 157,000 Impacted by Breach

Related Reading: 13 Million Passwords Leaked From Free Hosting Service

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.