TracFone, the pre-paid phone company, recently settled with the FCC over allegations that the company failed to protect customer information during three different data incidents. According to the FCC, in each of the incidents, threat actors gained access to customer information, including names, addresses, and features to which customers had subscribed. The threat actors were able to gain access by exploiting vulnerabilities in the customer-facing application programming interfaces or APIs.
TracFone reported the initial breach to the FCC in January 2022. It then experienced two additional breaches, of which it notified the FCC in December 2022 and January 2023. (These notices occurred before the recent changes to the FCC’s data breach notification rule.) In both incidents, threat actors again exploited API vulnerabilities, and used those vulnerabilities accessed users’ order information.
The FCC alleged that the incidents occurred because TracFone did not have adequate security measures in place, in violation of FCC’s rules for telecommunication carriers. As part of the settlement, TracFone has agreed to:
- Develop both a compliance plan and security program to ensure future compliance with FCC security requirements which shall be memorialized in a “Compliance Manual” available to both internal employees and third parties with whom the company contracts;
- Designate a compliance officer and train employees annually on safeguarding data in ways specific to their roles and responsibilities;
- Develop and adopt policies and procedures around access controls consistent with NIST and OWASP, and keep those policies and procedures current to any future NIST and OWASP measures;
- Adopt other security measures and processes, including for data transmitted online, around logging and monitoring, patch and security update management, and risk assessments;
- Have an assessment of its security program conducted every other year by external auditors (and internally review it each year);
- File with the FCC a compliance report six months and then 12 months after the effective date of the settlement, and ten annually thereafter for a period of three years.
Putting It Into Practice: This settlement is a reminder that regulators may look closely after an incident at a company’s security and compliance measures. The elements of this settlement, including access controls, risk assessments, and compliance monitoring suggest the types of procedures are expected.