“Hi, I’m from IT” call yielded access to customer records, lulz; Cox fined $596k.
What’s the cost of giving up customers’ information because of weak information security practices? For Cox Communications, the answer is a half-million dollar fine and having the Federal Communications Commission watching its every information security move for the next seven years. The FCC’s Enforcement Bureau and cable and broadband Internet provider Cox Communications have reached a settlement over an August 2014 data breach involving a member of the Lizard Squad hacking group. The FCC announced the settlement on Thursday.
The hacker, who goes by the nom de guerre “EvilJordie,” used one of the oldest social engineering tricks in the book to gain access to Cox’s internal data: he convinced a Cox customer service representative and a Cox contractor over the phone that he was a system administrator in Cox’s IT department and sent them a “phishing” link to a malicious website that mimicked a corporate intranet site, where they entered their login credentials
Once in possession of the usernames and passwords, EvilJordie gained access to Cox cable customer data—including “names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers,” an FCC spokesperson said. The hacker also gained access to confidential proprietary network information (CPNI) from Cox’s VoIP phone service.
EvilJordie then posted the partial data of eight Cox customers online (through a now-suspended Twitter account) and passed other data to fellow Lizard Squad members. The passwords of 28 customers’ accounts were changed as well to prove to Cox that access had been gained.
In all, 61 Cox customers had their data exposed, based on the audit logs for the accounts that the Lizard Squad hackers had access to, according to the FCC’s consent decree (PDF). At least one customer and possibly more had their Cox VoIP phone data exposed. Cox did not inform all of the affected customers of the breach (two were missed), and did not report the breach to the FCC as prescribed by regulations.
The disclosure of that data is a violation of the Communications Act, as amended by the Telecommunications Act of 1996, which requires network operators to protect customer information. “Congress and the Commission have made clear that cable operators such as Cox must ‘take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator,'” Travis LeBlanc, the chief of the FCC’s Enforcement Bureau, wrote in an order filed November 5. “Furthermore, telecommunications carriers such as Cox must take ‘every reasonable precaution’ to protect their customers’ data. In addition, the law requires carriers to promptly disclose CPNI breaches via our reporting portal within seven business days after reasonable determination of a breach to facilitate the investigations of the FBI and the United States Secret Service.”
In addition to paying a $596,000 fine, Cox will have to notify customers whose data was exposed, provide credit monitoring for a year, and “adopt a comprehensive compliance plan” to prevent future breaches, according to the FCC statement. Cox will be required to conduct annual security audits and penetration testing of its systems, as well as establish internal threat monitoring and new breach notification procedures. The Enforcement Bureau will directly monitor Cox’s efforts for the next seven years.