Telecommunications provider TracFone Wireless has agreed to a $16 million civil penalty to resolve investigations into three older data breaches, the Federal Communications Commission (FCC) announced.
The data breaches occurred between January 2021 and January 2023, involved the exploitation of application programming interfaces (APIs), and resulted in the compromise of customer proprietary network information (CPNI) and personally identifiable information (PII).
Discovered in December 2021, the first incident led to numerous requests to transfer customer phone numbers to other carriers, without authorization from the impacted customers. The attackers had unauthorized access to TracFone’s customer information between January 2021 and January 2022.
The two other incidents, both related to the carrier’s order website, were reported in December 2022 and January 2023. In both attacks, threat actors exploited a vulnerability that allowed them to access order information without authentication. The flaw was addressed in February 2023.
TracFone, the FCC says, failed to reasonably secure customers’ proprietary information, a violation of wireless carriers’ duty and an unjust and unreasonable practice.
Carriers, the FCC points out, are expected to take every reasonable precaution to protect their customers’ information.
“The Commission has also adopted rules that require carriers to take reasonable measures to discover, report, and protect against attempts to access CPNI without authorization,” the FCC notes.
As part of the settlement, in addition to paying a $16 million civil penalty, TracFone has agreed to implement an information security program to reduce API vulnerabilities, to improve SIM and port-out protections, to perform annual assessments of its information security program, and to train employees on privacy and security awareness.
A wholly-owned subsidiary of Verizon Communications, which acquired it in November 2021, TracFone offers services through multiple brands, including Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile.
Related: FCC Fines Wireless Carriers for Sharing User Locations Without Consent
Related: FCC Proposes Tighter Data Breach Reporting Rules for Wireless Carriers
Related: NYSE Operator Intercontinental Exchange Gets $10M SEC Fine Over 2021 Hack
