FCC, Tracfone Wireless reach $16M cyber and privacy settlement
The Federal Communications Commission has reached a $16 million settlement with prepaid phone provider Tracfone Wireless over its privacy and cybersecurity practices.
It’s the first FCC settlement ever to have specific conditions directing a company to secure application programming interfaces, which allow computer systems to communicate with one another, according to a commission spokesperson.
The settlement, which CyberScoop is first to report, stems from three data breaches that involved exploiting API vulnerabilities of the Verizon-owned carrier between January 2021 and January 2023, which exposed the sensitive personal information of customers.
“Carriers — and the customer information they have access to — are prime targets for threat actors,” Loyaan A. Egal, chief of the FCC Enforcement Bureau and chair of the Privacy and Data Protection Task Force, said in a statement. “The Commission takes matters of consumer privacy, data protection, and cybersecurity seriously, including in the context of emerging security issues.”
Egal said the FCC’s investigation and its consent decree with Tracfone makes clear “that API security is paramount and should be on the radar of all carriers.”
Tracfone did not immediately respond to a request for comment. Verizon bought Tracfone in November 2021. Tracfone offers phones under a variety of brand names, such as Walmart Family Mobile.
Prepaid wireless phones, sometimes referred to as “burners” depending on their features, have been hailed as a privacy tool. Tracfone is not alone in the market, however, for suffering data breaches that expose customer data.
The settlement comes on the heels of a $200 million fine the FCC dished out in April to the nation’s largest wireless carriers for illegally sharing customer location data.
The FCC said that the Tracfone breaches led to unauthorized access of sensitive customer information known as “customer proprietary network information” or CPNI, a category that includes the date, time and length of phone calls, as well as the number a caller was trying to reach.
Section 222 of the Communications Act dictates that telecommunications carriers must protect their customers’ sensitive data, and the settlement resolves an FCC investigation into whether Tracfone reasonably did so.
The $16 million settlement comes with conditions Tracfone must meet, including securing API vulnerabilities as outlined by widely accepted industry standards, such as those specified by the National Institute of Standards and Technology. Tracfone also must get outside assessments of its information security program and train personnel on privacy and security awareness.
“The Commission has made clear that it expects telecommunications carriers to take ‘every reasonable precaution’ to protect their customers’ proprietary or personal information,” the FCC said. “The Commission has also adopted rules that require carriers to take reasonable measures to discover, report, and protect against attempts to access CPNI without authorization.”
