Cox Communications to Pay $595,000 to Settle Data Breach Investigation
Image: Pixabay

Cox Communications to Pay $595,000 to Settle Data Breach Investigation

November 9, 2015

The Federal Communications Commission (FCC) has entered into a $595,000 settlement with Cox Communications to resolve an investigation into whether the company failed to properly protect its customers' personal information when its electronic data systems were breached in 2014.

As a result, third parties had access to the personal information of Cox's subscribers. Cox has approximately six million subscribers nationwide, according to the FCC.

The action taken against Cox marks the Commission's first privacy and data security enforcement action with a cable operator.

"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," said Enforcement Bureau Chief Travis LeBlanc. "This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers' information safe online and off."

The Enforcement Bureau's investigation found that Cox's electronic data systems were breached in August 2014 by a hacker using the alias "EvilJordie," a member of the "Lizard Squad" hacker group. EvilJordie pretended to be from Cox's information technology department, and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake website.

With those credentials, the Enforcement Bureau says that the hacker gained unauthorized access to Cox customers' personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver's license numbers of Cox's cable customers, as well as Customer Proprietary Network Information (CPNI) of the company's telephone customers. The hacker then posted some customers' information on social media sites, changed some customers' account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.

The Communications Act requires that a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator. The Enforcement Bureau's investigation found that, at the time of the breach, Cox's relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials. Moreover, the company never reported the breach to the FCC's data breach portal, as required by law.

As a condition of the settlement, Cox will pay a $595,000 civil penalty. The settlement also requires Cox to identify all customers affected by the breach, notify them of the breach, and provide them with one year of free credit monitoring. Cox will also adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers' personal information and CPNI. The Enforcement Bureau will monitor Cox's compliance with terms of the settlement for seven years.

The action against Cox marks the FCC's third enforcement action this year for violations of the Communications Act and Commission rules related to the protection of customer information. Combined, the three actions have resulted in over $28 million in penalties.