Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

FCC Fines Cox for Lizard Squad Hack

Broadband communications company Cox has agreed to pay a heavy fine to settle allegations by the Federal Communications Commission (FCC) that it had failed to protect customers’ personal information.

Cox has agreed to pay a $595,000 settlement as part of what the FCC calls its first privacy and data security enforcement action against a cable operator.

Broadband communications company Cox has agreed to pay a heavy fine to settle allegations by the Federal Communications Commission (FCC) that it had failed to protect customers’ personal information.

Cox has agreed to pay a $595,000 settlement as part of what the FCC calls its first privacy and data security enforcement action against a cable operator.

The FCC launched an investigation after a hacker known as “EvilJordie,” a member of the notorious Lizard Squad collective, hacked into Cox’s systems following a successful social engineering attack.

Pretending to be a staff member from the company’s IT department, the attacker convinced a Cox customer service representative and a contractor to enter their usernames and passwords on a phishing website. The hacker used the stolen credentials to access customer information, including names, email addresses, addresses, PINs, and in some cases social security and driver’s license numbers.

EvilJordie changed some of the affected customers’ passwords, and posted some of the stolen information on social media websites.

Cybercrime blogger Brian Krebs, who was one of the victims of this attack, reported that he and 60 other Cox customers were affected by the incident.

“The Communications Act requires that a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator,” the FCC said.

“The Enforcement Bureau’s investigation found that, at the time of the breach, Cox’s relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials. Moreover, the company never reported the breach to the FCC’s data breach portal, as required by law,” the agency added.

In addition to paying the $595,000 fine, Cox will also have to identify customers affected by the August 2014 breach, notify them, and provide them one year of free credit monitoring. The company will also have to establish an information security program that includes penetration testing, additional breach notification systems, annual audits, and internal threat monitoring.

“It’s too bad that it takes incidents like this to get more ISPs to up their game on security. It’s also too bad that most ISPs hold so much personal and sensitive information on their customers,” Krebs noted in a blog post on Friday.

Earlier this year, the FCC announced that AT&T had agreed to pay a $25 million fine after it was discovered that some of the company’s call center employees had accessed customer records and distributed the information to unauthorized third parties.

Related Reading: TalkTalk Now Says Only 157,000 Impacted by Breach

Related Reading: 13 Million Passwords Leaked From Free Hosting Service

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...