Cox Communications Fined by FCC Over Loss of Customer Data

The Federal Communications Commission (FCC) has levied the first fine against a cable operator in a privacy and data security enforcement investigation. Cox Communications’ network and data were hacked back in 2014, and this has led to the exposure of over 6 million customers’ private information, including names, addresses and credit card/payment information. The FCC has fined Cox $595,000 for the breach and looks to be the start of a series of inquiries into cable company security across the vertical.

Cable companies appear to be the latest in a growing, yet already lengthy list, of companies and organizations which have been targeted and plundered by cybercriminals. Cable companies collect a great deal of private, and sensitive information on customers, of which just a fraction is sufficient to hack and steal customers’ identities. Identity theft is a huge problem, growing exponentially, and the onus must be on companies and organizations which collect data on individuals to look after it and secure it properly.This fine is not as large as some at Cox probably feared (nor the cable industry generally), but it does signal intent on the part of the FCC. FCC Enforcement Bureau Chief, Travis LeBlanc said, “This investigation shows the real harm that can be done by a digital identity thief…”

The hacker breached Cox’s network in August 2014, and goes by the online identity, “Evil Jordie”. Evil Jordie is known to be a member of the infamous Lizard Squad, a notorious hacker collective and thought to be based in the United Kingdom. The hacker managed to gain access to the Cox system by managing to persuade a Cox customer service representative and an authorized Cox contractor to enter their user ID and password credentials into a fake website in a ‘phishing’ exploit. Evil Jordie than was able to use these credentials to access Cox’s network and gain access to customer information.

Once the hacker had customer information, they set upon a series of harassing activities including changing account passwords, posting private information on public websites and Social Media, and also sharing stolen data with other hackers and criminals.

Notable security writer, Brian Krebs, he was the first to suspect that the Lizard Squad was probably behind the attack, way back in September 2014, however he also pointed out that Cox did not have two-factor authentication for its own staff and contractors. If two-factor authentication had been put in place, this phishing attack to gain staff credentials would have almost certainly failed at the first hurdle. As Krebs points out, this issue also affects many other ISPs and telecommunications companies in the sector, which again points to a high likelihood that Cox is not going to be the only telco to be investigated by the FCC.

Cox Communications must not only pay the $595,000 fine for the breach, but tread a well-worn path of notifying customers whose data has been compromised, and also provide 12 months of credit monitoring at no charge. Irrespective of the financial cost to Cox, the cost in terms of their reputation is likely to be far higher in the market, with a damaged customer trust for both existing and prospective customers.

As for Evil Jordie, he was arrested by British police working in conjunction with the FBI in connection with the taking down of the Xbox and Sony Playstation attacks in 2014, along with numerous ‘swatting’ attacks. At that time he was an 18 year old, and his real name is Jordan Lee-Bevan, however it remains to be seen whether he will be extradited from the UK to stand trial in the US.

Let our Specialists take care of your IT Support