Verizon Settles TracFone Data Breach for $16 Million: A Powerful Lesson in Cybersecurity

Verizon Communications has recently agreed to pay a whopping $16,000,000 settlement with the Federal Communications Commission (FCC) in the U.S. This settlement comes in response to three data breach incidents that took place at TracFone Wireless, a Verizon subsidiary acquired in 2021.

TracFone is a telecommunications service provider that offers its services through various brands such as Total by Verizon Wireless, Straight Talk, and Walmart Family Mobile, among others.

As part of the settlement agreement, Verizon is not only required to pay a hefty civil penalty but also to implement specific measures to enhance data security for its customers moving forward.

Three data breaches, one big problem

The data breaches at TracFone occurred between 2021 and 2023 and involved three separate incidents.

The first incident, referred to as the ‘Cross-Brand’ incident, was self-reported by TracFone on January 14, 2022. TracFone discovered the breach in December 2021, but the investigation revealed that threat actors had access to customer data since January 2021.

These threat actors had access to sensitive information, including personally identifiable information (PII) and customer proprietary network information (CPNI), which they used to conduct a large number of unauthorized number porting request approvals.

According to the decree, “In connection with this incident, threat actors exploited certain vulnerabilities related to authentication and a limited number of APIs.”

The other two data breach incidents involved TracFone’s order websites and were reported on December 20, 2022, and January 13, 2023, respectively.

Unauthenticated threat actors exploited a vulnerability to access order information, including certain CPNI and other customer data. The FCC’s decree document explains that “the threat actor(s) used two different methods to exploit the vulnerability (switching to a second method when TracFone successfully blocked the first).”

TracFone ultimately implemented a long-term fix for the underlying vulnerability by February 2023. However, the number of exposed individuals and SIM-swapping incidents have been censored in the public version of the Consent Decree document.

Steps towards better security

As part of the settlement agreement, TracFone is required to implement the following measures by February 28, 2025:

• Develop a mandated information security program to reduce API vulnerabilities by adhering to standards like NIST and OWASP, implementing secure API controls, and regularly testing and updating security measures.
• Implement SIM change and port-out protections involving secure authentication for SIM changes and port-out requests, notifying customers of such requests, and offering number transfer PINs.
• Perform information security annual assessments to ensure the program’s effectiveness, with independent third-party evaluations every two years to assess sufficiency and maturity.
• Organize annual employee privacy and security awareness training to enhance their capability to safeguard customer data and comply with security protocols.

We reached out to Verizon and TracFone to inquire about the number of customers impacted by these breaches but have not yet received a response.

Take action and stay informed

As a consumer, it’s essential to stay informed about data breaches like these and take necessary precautions to protect your personal information. If you’re a Verizon or TracFone customer, be sure to keep an eye out for any unusual activity on your account and report it immediately.

Remember, knowledge is power when it comes to cybersecurity. So, stay up to date with the latest news, tips, and best practices by coming back to us for more information. Your security is our priority, and we’re here to help you stay safe in the digital world.