Cox Receives $595K Slap On Wrist For Failing To Prevent Data Breach

In Aug. 2014, a hacker used a clever bit of social engineering to talk his way into accessing the personal information for an unknown number of Cox cable, Internet, and phone customers. For its failure to shield its system from this sort of outside invasion, the pay-TV company has agreed to pay $595,000 to the FCC.

In the FCC’s order and consent decree [PDF], investigators explain how the hacker contacted a third-party contractor for Cox, pretending to be a representative from the Cox IT department. The hacker convinced the contractor to enter her Cox user info and login via a bogus site made to look like the Cox site. A similar social engineering trick was used to get a Cox Tech Support staffer to enter his details into the fake site.

During the week that the hackers had access to the Cox network, they viewed the personal information — including names, mailing addresses, e-mail addresses, secret questions/answers, PINs, and partial Social Security and driver’s license numbers — for dozens of current and former customers. Eight Cox subscribers had their details posted online, while 28 others had their passwords changed by hackers.

With those credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, which of Cox’s cable customers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers. The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.

While Cox did — six days after being made aware of the breach — bring in the FBI, leading to the arrest of the hacker believed to be responsible, the company didn’t exactly disclose the incident to the FCC as required by law.

And even though the number of customers openly affected by the breach was relatively small compared to the full list of Cox’s approximately 6 million subscribers, the company did not adequately inform these victims as quickly as it should have.

To close the FCC’s investigation, Cox has agreed to pay a $595,000 civil penalty to the FCC, identify all affected customers, notify them of the breach, and provide them one year of free credit monitoring.

The company must also adopt a comprehensive compliance plan, establish an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information.

“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” explains FCC Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers’ information safe online and off.”