Data Breach due to hack attack by Lizard Squad to cost Cox Communications $595,000 to settle FCC complaint
The Federal Communications Commission’s (FCC) Enforcement Bureau has entered into a $595,000 settlement with Cox Communications to find a solution to an investigation into whether the company properly safeguarded personal information of its customers when the company’s electronic data systems were breached in 2014. Cox has about six million customers.
According to the FCC, in August 2014, a hacker using the alias EvilJordie, a member of the “Lizard Squad” hacker group presented himself as a Cox tech employee and successfully convinced a company customer service representative and a Cox contractor to give up authentication keys that unlocked the sensitive customer data.
This is what the Lizard Squad had to say about the FTC penalty :
https://twitter.com/LizardLands/status/662478595504406528
After obtaining that information, the hacker got access to personal information on Cox customers, which included names, addresses, email addresses, secret questions and answers, PINs and, in some cases, driver’s license numbers and partial Social Security Numbers
The breach became public when EvilJordie shared some of the stolen information on social media sites, and also distributed some of it among other Lizard Squad members.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers’ information safe online and off.”
The Communications Act requires that a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator.
At the time of the breach, Cox’s relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials, said the FCC. Moreover, the company never reported the breach to the FCC’s data breach portal, as required by law.
However, Cox says it was reported to law enforcement.
Cox representative Todd Smith said in a statement: “Cox’s commitment to privacy and data security is a top priority for the company and we take our responsibility to protect our customers’ personal information very seriously. While we regret that this incident occurred, our information security program ensured that we were able to react quickly and limit the incident to 61 customers. Cox also promptly reported the incident to the FBI and worked closely with them in their investigation, resulting in the arrest of the perpetrator. We will continue to enhance our privacy and information security programs to protect the personal information that is entrusted to us.”
As a condition of settlement, Cox will pay a $595,000 civil penalty. It will also identify and notify all victims of the breach and provide them with one year of free credit monitoring. Cox must also adhere to new data security protocols, including annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems. The FCC will monitor the MSO’s compliance with a consent decree for seven years.
