Broadband communications company Cox has agreed to pay a heavy fine to settle allegations by the Federal Communications Commission (FCC) that it had failed to protect customers’ personal information.
Cox has agreed to pay a $595,000 settlement as part of what the FCC calls its first privacy and data security enforcement action against a cable operator.
The FCC launched an investigation after a hacker known as “EvilJordie,” a member of the notorious Lizard Squad collective, hacked into Cox’s systems following a successful social engineering attack.
Pretending to be a staff member from the company’s IT department, the attacker convinced a Cox customer service representative and a contractor to enter their usernames and passwords on a phishing website. The hacker used the stolen credentials to access customer information, including names, email addresses, addresses, PINs, and in some cases social security and driver’s license numbers.
EvilJordie changed some of the affected customers’ passwords, and posted some of the stolen information on social media websites.
Cybercrime blogger Brian Krebs, who was one of the victims of this attack, reported that he and 60 other Cox customers were affected by the incident.
“The Communications Act requires that a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator,” the FCC said.
“The Enforcement Bureau’s investigation found that, at the time of the breach, Cox’s relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials. Moreover, the company never reported the breach to the FCC’s data breach portal, as required by law,” the agency added.
In addition to paying the $595,000 fine, Cox will also have to identify customers affected by the August 2014 breach, notify them, and provide them one year of free credit monitoring. The company will also have to establish an information security program that includes penetration testing, additional breach notification systems, annual audits, and internal threat monitoring.
“It’s too bad that it takes incidents like this to get more ISPs to up their game on security. It’s also too bad that most ISPs hold so much personal and sensitive information on their customers,” Krebs noted in a blog post on Friday.
Earlier this year, the FCC announced that AT&T had agreed to pay a $25 million fine after it was discovered that some of the company’s call center employees had accessed customer records and distributed the information to unauthorized third parties.
Related Reading: TalkTalk Now Says Only 157,000 Impacted by Breach
Related Reading: 13 Million Passwords Leaked From Free Hosting Service