TracFone Faces $16M Fine for 3 Data Breaches

TracFone, a brand owned by Verizon, has agreed to a settlement with the Federal Communications Commission (FCC) over three breaches that compromised customer information. As part of the settlement, TracFone will pay a $16 million fine.

The significance of this fine stems from the nature of the breaches, which involved the exploitation of APIs, exposing sensitive customer data. Hackers accessed customer names, billing addresses, subscribed features, and lines per account, enabling them to conduct unauthorized port-outs.

These breaches were discovered between 2021 and 2023. TracFone first noticed the issue in December 2021 after observing an unusually high volume of number port-out requests, followed by several customer complaints about unauthorized port-outs. In response, TracFone began sending port-out notifications to customers and required them to validate the requests with randomly generated PINs.

The second breach occurred in December 2022 and January 2023 through TracFone's order websites. Despite initial efforts to block the attack, the threat actors found alternative methods to bypass security. By February 2023, TracFone implemented a long-term solution to address the underlying vulnerability.

The FCC has not specified the number of customers affected by these breaches, but stated that many of the compromised accounts were no longer active. In addition to the fine, TracFone has committed to enhancing its API security.

Source: RCR Wireless