Click here for Adobe Acrobat version
Click here for Microsoft Word version
Click here for CD
********************************************************
NOTICE
********************************************************
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
*****************************************************************
Media Contact:
Will Wiquist, (202) 418-0509
will.wiquist@fcc.gov
For Immediate Release
COX COMMUNICATIONS TO PAY $595,000 TO SETTLE DATA BREACH INVESTIGATION
Cable Company's Data Protections Failed to Prevent Hacker From Obtaining Private Consumer Info
--
WASHINGTON, November 5, 2015 - The Federal Communications Commission's Enforcement Bureau has entered into a $595,000 settlement with Cox Communications to resolve an investigation into whether the company failed to properly protect its customers' personal information when the company's electronic data systems were breached in 2014. As a result, third parties had access to the personal information of Cox's subscribers. Cox has approximately six million subscribers nationwide. Today's action represents the FCC's first privacy and data security enforcement action with a cable operator.
"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," said Enforcement Bureau Chief Travis LeBlanc. "This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers' information safe online and off."
* The Enforcement Bureau's investigation found that Cox's electronic data systems were breached in August 2014 by a hacker using the alias "EvilJordie," a member of the "Lizard Squad" hacker group. EvilJordie pretended to be from Cox's information technology department, and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or "phishing," website.
* With those credentials, the hacker gained unauthorized access to Cox customers' personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver's license numbers of Cox's cable customers, as well as Customer Proprietary Network Information (CPNI) of the company's telephone customers. The hacker then posted some customers' information on social media sites, changed some customers' account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.
* The Communications Act requires that a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator. The Enforcement Bureau's investigation found that, at the time of the breach, Cox's relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials. Moreover, the company never reported the breach to the FCC's data breach portal, as required by law.
As a condition of settlement, Cox will pay a $595,000 civil penalty. The settlement also requires Cox to identify all affected customers, notify them of the breach, and provide them one year of free credit monitoring. Under the settlement, Cox will adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers' personal information and CPNI. The Enforcement Bureau will monitor Cox's compliance with the consent decree for seven years.
This year, the Commission has taken three enforcement actions for violations of the Communications Act and Commission rules related to protection of customer personal information, resulting over $28 million in penalties.
To file a complaint with the FCC, go to https://consumercomplaints.fcc.gov/hc/en-us or contact the FCC's Consumer Center by calling 1-888-CALL-FCC (1-888-225-5322) voice or 1-888-TELL-FCC (1-888-835-5322) TTY; faxing 1-866-418-0232; or by writing to:
Federal Communications Commission
Consumer and Governmental Affairs Bureau
Consumer Inquiries and Complaints Division
445 12th Street, SW
Washington, DC 20554
The order and consent decree are available at: https://apps.fcc.gov/edocs_public/attachmatch/DA-15-1241A1.pdf.
###
Office of Media Relations: (202) 418-0500
TTY: (888) 835-5322
Twitter: @FCC
www.fcc.gov/office-media-relations [HYPERLINK: http://www.fcc.gov/office-media-relations]
This is an unofficial announcement of Commission action. Release of the full text of a Commission order constitutes official action. See MCI v. FCC, 515 F.2d 385 (D.C. Cir. 1974).