The FCC and Verizon Communications (NYSE: VZ) subsidiary TracFone Wireless reached a deal to settle an investigation into whether TracFone failed to reasonably protect its customers’ information from unauthorized access in connection with three data breaches between 2021 and 2023. The breaches involved exploitation of application programming interfaces (APIs) that enable different computer programs or components to communicate with one another. The breaches resulted in the unauthorized access to and exposure of customers’ proprietary information, including certain customer proprietary network information (CPNI) and personally identifiable information, according to the agency.
Numerous APIs can be leveraged to access customer information from websites, according to the FCC. The settlement, or Consent Decree, includes terms aimed at strengthening TracFone’s API security. “This is critical because APIs are ubiquitous, and thus are a common attack vector for threat actors,” says the Commission.
TracFone offers services through multiple brands, such as Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile. Verizon Communications acquired TracFone in November 2021, Inside Towers reported.
The agency says in the settlement: “The failure to reasonably secure customers’ proprietary information violates a carrier’s duty under Section 222 of the Communications Act and also constitutes an unjust and unreasonable practice in violation of Section 201 of the Act. It is also a violation of Section 222 of the Communications Act to impermissibly use, disclose, or permit access to individually identifiable CPNI without customer approval.”
The Commission expects telecom carriers to take “every reasonable precaution” to protect their customers’ proprietary or personal information. It has also adopted rules that require carriers to take reasonable measures to “discover, report, and protect against attempts to access CPNI without authorization.”
In addition to a $16 million civil penalty, the Consent Decree includes:
- a mandated information security program, with provisions to reduce API vulnerabilities in ways consistent with widely accepted standards;
- Subscriber Identity Module change and port-out protections;
- annual assessments, including by independent third parties, of TracFone Wireless’ information security program; and
- privacy and security awareness training to employees and certain third parties.
The latest action follows a December 2023 Consent Decree between the FCC and TracFone to resolve investigations into whether TracFone violated Commission rules for the Lifeline and Emergency Broadband Benefit program as well as a 2020 enforcement action. TracFone agreed to pay a $23 million civil penalty in those probes, Inside Towers reported.
By Leslie Stimson, Inside Towers Washington Bureau Chief
Reader Interactions