The Federal Communications Commission (FCC) completed its first-ever data breach action involving a cable operator, settling the incident with Cox Communications for $595,000
The breach, which occurred in August 2014, exposed customer data, including names, e-mail addresses, and driver's license numbers, among other information.
In a departure from other breach cases, there was nothing mega about this incident. The case ultimately determined that the hacker who stole data, and was later arrested, posted the personal information of at least eight of the affected customers on social media sites, changed the passwords of at least 28 of the affected customers, and shared customer personal information with another alleged hacker. Cox Communications has some six million subscribers.
"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," Enforcement Bureau Chief Travis LeBlanc said in an FCC Commission Document issued after the ruling. "This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers' information safe online and off."
After the breach, Cox Communications was required by law to report the incident to the FCC's data breach portal within seven days. The company did not file a report via the portal, according to the order and consent decree filed by the FCC.
A hacker, later identified under the alias "EvilJordie," gained access to Cox Communications systems using a phishing attack on a company customer service representative and contractor. Cox Communications was using two-factor authentication on some accounts, but not on the ones that were ultimately compromised in the phishing attack.
In addition to the $595,000 civil penalty, the settlement requires Cox Communications to adopt a comprehensive compliance plan that includes an information security program with annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers' personal information and proprietary network information. The Enforcement Bureau will monitor compliance for seven years.