In the agency's first data security enforcement action against a cable operator, the Federal Communications Commission fined Cox Communications $595,000 for an August 2014 data breach where a hacker gained access to customer data, including names, e-mail addresses, and driver's license numbers, among other information.
An investigation by the FCC's Enforcement Bureau revealed that a hacker impersonated a Cox IT worker and convinced a customer service representative and company contractor to enter account IDs and passwords on a phishing site that provided the hacker access to the customer database. Some of the customers' information was later posted online—including social media sites—and the hacker changed some customers' account passwords.
"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," FCC Enforcement Bureau Chief Travis LeBlanc said in a statement. "This investigation shows the real harm that can be done by a digital identity thief."
Cox's data security systems at the time of the breach were lacking, the agency said, and the company failed to properly protect the confidentiality of its customers' proprietary and personally identifiable information. Further, Cox did not report the breach to the FCC as required by law.
To settle the charges, Cox agreed to pay a $595,000 civil penalty and adopt a comprehensive plan that includes FCC oversight for a seven-year period. The company must adopt a written information security program, conduct annual system audits and penetration testing, designate a senior corporate manager who is a certified privacy professional, implement a more robust data breach response plan, provide privacy and security training to third party vendors and employees, implement multifactor authentication, and establish internal threat monitoring.
Cox also promised to notify affected customers of the breach and provide them with one year of free credit monitoring.
To read the FCC's order in In the Matter of Cox Communications, click here.
Why it matters: The FCC's first data security enforcement action against a cable operator does not look to be its last. "Consumers of cable and satellite services are entitled to have their personal information protected," according to the FCC order. "Inadequate security of subscribers' personal information can result in real world consequences for those customers, who are put at risk of financial and digital identity theft. In the wrong hands, a customer's sensitive personal information could also be used to take control of a customer's real accounts, to change the passwords on those accounts, to expose the customer's personal information on the web, and to harass or embarrass the customer through social media."