Verizon Settles for $16 Million Over TracFone Data Breach: New Security Measures Required
Introduction
In a significant development in the realm of data security, Verizon Communications has agreed to a $16 million settlement with the Federal Communications Commission (FCC) following a series of data breaches at its subsidiary, TracFone Wireless. The breaches, which occurred between 2021 and 2023, have led to increased scrutiny on Verizon's data protection practices and will result in mandatory improvements to its security measures. This blog explores the details of the breaches, the terms of the settlement, and the steps Verizon will need to take to enhance its data security going forward.
The Data Breach Incidents
TracFone Wireless, a telecommunications provider that operates brands like Total by Verizon Wireless, Straight Talk, and Walmart Family Mobile, experienced multiple data breaches in recent years. The breaches are divided into three main incidents:
- The 'Cross-Brand' Breach: First discovered in December 2021 and reported in January 2022, this breach involved unauthorized access to sensitive customer data, including personally identifiable information (PII) and customer proprietary network information (CPNI). The attackers exploited vulnerabilities related to authentication and APIs, allowing them to conduct unauthorized number porting requests.
- Order Website Breaches: Two additional breaches occurred on TracFone's order websites, reported on December 20, 2022, and January 13, 2023. In these cases, unauthenticated attackers exploited a vulnerability to access order information and other customer data. The attackers used different methods to bypass security measures, necessitating multiple fixes by TracFone.
The extent of the data exposure and the number of affected individuals have not been disclosed in the public version of the FCC's Consent Decree.
Settlement Agreement and Security Requirements
As part of the settlement, Verizon must undertake several measures to improve data security at TracFone. These measures are mandated to be in place by February 28, 2025, and include:
- Developing a Comprehensive Security Program: TracFone must establish a robust information security program to address API vulnerabilities. This involves adhering to standards set by organizations like NIST and OWASP, implementing secure API controls, and regularly updating and testing security measures.
- Implementing SIM and Port-Out Protections: New protocols will be introduced to secure SIM changes and port-out requests. This includes enhanced authentication procedures, customer notifications, and the introduction of number transfer PINs.
- Conducting Annual Security Assessments: TracFone will perform annual internal assessments of its information security program and will engage independent third-party evaluators every two years to review the program’s effectiveness and maturity.
- Providing Employee Training: Annual training programs will be conducted to enhance employees' ability to protect customer data and comply with security protocols.
Conclusion
The $16 million settlement reflects the serious nature of the data breaches experienced by TracFone and highlights the pressing need for stringent data security measures. As Verizon implements the required changes, it is crucial for other organizations to take note and ensure they are adopting best practices in cybersecurity. Enhanced security protocols and ongoing vigilance are essential in safeguarding customer information against increasingly sophisticated cyber threats.
About Foresiet!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Protect your brand, reputation, data, and systems with Foresiet's Integrated Digital Risk Platform. 24/7/365 threat monitoring for total peace of mind.
Sept. 5, 2024, 7:20 p.m.
Sept. 5, 2024, 7:10 p.m.