Cox Communications Inc. agreed to pay $595,000 to resolve an investigation by the Federal Communications Commission’s Enforcement Bureau into whether the cable operator failed to properly protect its customers’ personal information when the company’s electronic data systems were hacked in 2014. The consent decree, entered into on November 5, is the first privacy and data security enforcement action with a cable operator.
The FCC’s investigation found that Cox’s electronic data systems were breached in August 2014 by a hacker using the alias “EvilJordie.” The hacker used a common social engineering ploy known as pretexting. Specifically, EvilJordie pretended to be from Cox’s information technology department and convinced a Cox customer service representative and a Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website. The hacker then used this credential information to gain access to Cox’s customers’ names, addresses, email addresses, and partial Social Security and driver’s license numbers, and some telephone customers’ account-related data. Some customers’ personal information was posted on social media sites, while other customers’ account passwords were changed.
Section 631(c) of the Communications Act requires that a cable operator not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned, and take actions to prevent unauthorized access to such information. The FCC investigation found that at the time of the breach, Cox’s data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials. Moreover, despite learning of the breach only five days after it occurred, and cooperating with the FBI in an investigation that resulted in the arrest of the hacker, the company never reported the incident to the FCC, as required by law.
In addition to the civil penalty, the consent decree requires Cox to identify and notify each affected customer and provide one year of complimentary credit monitoring services. Cox must also develop a compliance plan to help protect customer information and prevent similar data breaches.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.”