TracFone to pay $16 million to settle FCC cyber and privacy investigation

Avatar

The Federal Communications Commission (FCC) announced Monday that Verizon-owned TracFone Wireless will pay a $16 million civil penalty to end an investigation into how its alleged failure to safeguard consumer data led to three data breaches across two years.

The breaches resulted from malicious use of application programing interfaces (APIs), which enable communications between computer programs or components, an FCC press release said.

APIs are often used to obtain customer information maintained on websites. The FCC suggested the breaches compromised consumer privacy and were the result of ineffective cybersecurity protocols.

The settlement requires TracFone to bolster its API security, an action the agency called critical  due to how pervasive APIs are and how many unauthorized actors use them to breach websites.

TracFone’s poor security practices are especially notable because the brand’s anonymous phone service, commonly known for enabling “burner” phones, is built to accommodate consumers’ desire for privacy.

The breaches compromised customers’ network information , personally identifiable information and “numerous unauthorized port-outs.”

The settlement between the FCC and TracFone was first reported by CyberScoop.

TracFone did not immediately respond to a request for comment.

“The Commission takes matters of consumer privacy, data protection, and cybersecurity seriously, including in the context of emerging security issues,” Loyaan Egal, who chairs the FCC’s enforcement bureau and newly formed privacy and data task force, said in a prepared statement. “API security is paramount and should be on the radar of all carriers.” 

TracFone services are used by the brands Straight Talk, Total by Verizon Wireless and Walmart Family Mobile. Verizon bought the company in November 2021, two months before the first of the three breaches.

In addition to the $16 million fine, the settlement requires TracFone to:·       

Create an information security program including “novel provisions” diminishing API vulnerabilities and do so using standards set by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP)Change its subscriber identity module, commonly known as SIM, and port-out safeguardsUndergo annual third party assessments of its new information security programTrain employees and third parties working with it to better understand privacy and security requirements

CybercrimeGovernmentNews BriefsNewsTechnologyPrivacy
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

FrostyGoop malware left 600 Ukrainian households without heat this winter

Next Post

Ransomware ecosystem fragmenting under law enforcement pressure and distrust

Related Posts

The Ultimate DSPM Guide: Webinar on Building a Strong Data Security Posture

Picture your company's data as a vast, complex jigsaw puzzle—scattered across clouds, devices, and networks. Some pieces are hidden, some misplaced, and others might even be missing entirely. Keeping your data secure in today’s fast-evolving landscape can feel like an impossible challenge. But there’s a game-changing solution: Data Security Posture Management (DSPM). Think of it as a high-tech,
Avatar
Read More