Businesses are supposed to protect the confidential information they collect from customers. A breach of Cox Communications' data system in 2014 exposed the personal information of about six million subscribers, a snafu that is costing Cox $595,000.
The Federal Communications Commission’s Enforcement Bureau said the fine is the FCC's first privacy and data security enforcement action with a cable operator.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers’ information safe online and off.”
The Enforcement Bureau’s investigation found that Cox’s electronic data systems were breached in August 2014 by a hacker using the alias “EvilJordie,” a member of the “Lizard Squad” hacker group. EvilJordie pretended to be from Cox’s information technology department, and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website.
With those credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers of Cox’s cable and telephone customers.
The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.
Besides the fine, the settlement requires Cox to identify all affected customers, notify them of the breach, and provide them one year of free credit monitoring.