In what had been touted as the first data security enforcement action with a cable operator, the Federal Communications Commission (FCC) has agreed to settle for $595,000 an enforcement action following a data breach with Cox Communications. The settlement was announced by the FCC last week.
The settlement involves a data breach from 2014 when intruders broke into Cox Communication’s IT systems and accessed the personal information of millions of its customers. The intruder, dubbed “Eviljolie” was allegedly a member of the Lizard hacker group.
Using social engineering, Eviljolie was able to access customers’ information and change passwords and accounts.
Cox has agreed to notify all affected customers and provide credit monitoring to those affected by the intrusion. It has also agreed to implement a comprehensive compliance plan, including a written information security program, which will be monitored by the FCC for seven years. This requirement is strikingly similar to consent decrees required by the FTC in its data security enforcement actions.
The lesson? All industries should be focusing on a written information program to protect the personal information of employees and consumers and employee training to thwart social engineering and phishing expeditions.