July 24, 2024 at 08:39AM
Telecommunications provider TracFone Wireless has agreed to a $16 million civil penalty to settle investigations into three data breaches involving the compromise of customer information. The breaches, occurring between Jan 2021 and Jan 2023, exploited APIs and led to unauthorized access to customer information. TracFone will implement an information security program as part of the settlement.
Based on the meeting notes, the key takeaways are:
– TracFone Wireless has agreed to a $16 million civil penalty to resolve investigations into three older data breaches involving the compromise of customer proprietary network information (CPNI) and personally identifiable information (PII).
– The data breaches occurred between January 2021 and January 2023, and they involved the exploitation of application programming interfaces (APIs) leading to the compromise of customer information.
– The first incident involved unauthorized requests to transfer customer phone numbers to other carriers, and the two other incidents were related to the carrier’s order website, where threat actors exploited a vulnerability to access order information without authentication.
– TracFone failed to reasonably secure customers’ proprietary information, which is a violation of wireless carriers’ duty according to the FCC.
– As part of the settlement, TracFone has agreed to implement an information security program, reduce API vulnerabilities, improve SIM and port-out protections, perform annual assessments of its information security program, and provide privacy and security awareness training for employees.
– TracFone is a wholly-owned subsidiary of Verizon Communications and offers services through multiple brands, such as Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile.
Let me know if you need further information or analysis on this matter.