Cable provider Cox pays $595,000 fine to resolve FCC data breach probeReprints
Cable firm Cox Communications Inc. will pay a $595,000 fine to resolve a Federal Communications Commission investigation as to whether it failed to properly protect its 6 million subscribers’ personal information in connection with a 2014 data breach, the FCC said.
Atlanta-based Cox said in a statement its commitment to data security is a top priority, and that only 61 customers were affected by the breach.
The FCC said in a statement Thursday that its enforcement bureau’s investigation found that Cox’s electronic data systems were breached in August 2014 by a hacker using the alias “EvilJordie,” a member of the “Lizard Squad” hacker group.
The FCC said EvilJordie pretended to be from Cox’s information technology department and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake “phishing” website.
The FCC said with these credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, including names, addresses, email addresses, secret questions and answers, PIN numbers and, in some cases, Social Security and driver’s license numbers.
The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords and shared the compromised account credentials with another alleged Lizard Squad member, the FCC said.
In addition to paying the $595,000 penalty, the settlement also requires Cox to provide all affected customers with one year of free credit monitoring, among other terms.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Washington-based FCC Enforcement Bureau Chief Travis LeBlanc in the FCC statement. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the Web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers' information safe online and off.”
Cox said in its statement that its “commitment to privacy and data security is a top priority for the company, and we take our responsibility to protect our customers’ personal information very seriously. While we regret that this incident occurred, our information security program ensured that we were able to react quickly and limit the incident to 61 customers.
“Cox also promptly reported the incident to the FBI and worked closely with them in their investigation, resulting in the arrest of the perpetrator. We will continue to enhance our privacy and information security programs to protect the personal information that is entrusted to us.”
Blogger Brian Krebs, who focuses on data breaches, said in his blog Friday that he was among those affected by the breach against Cox, his former Internet provider.