Cox has agreed to pay $595,000 to settle an FCC Enforcement Bureau investigation into its data protections related to a 2014 hack.
Cox said it took information protection seriously, had limited the hack to 61 customers and worked with the FBI to catch the hacker.
The settlement also requires the cable company to "identify all affected customers, notify them of the breach, and provide them one year of free credit monitoring." Cox will also adopt a compliance plan that includes annual audits, threat monitoring, and vulnerability testing, with the FCC monitoring that for seven years.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Enforcement Bureau chief Travis LeBlanc in announcing the settlement. “This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media. We appreciate that Cox will now take robust steps to keep their customers’ information safe online and off.”
The FCC was investigating whether Cox failed to "properly protect" customer info when its systems were breached by EvilJordie of the "Lizard Squad."
According to the FCC, EvilJordie posed as a Cox tech and convinced a customer service rep and contractor to enter account IDs and passwords into a phishing website.
The hacker used that to access personally identifiable information (PII) of Cox customers.
"The Enforcement Bureau’s investigation found that, at the time of the breach, Cox’s relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials," the FCC said. "Moreover, the company never reported the breach to the FCC’s data breach portal, as required by law."
"Cox’s commitment to privacy and data security is a top priority for the company and we take our responsibility to protect our customers’ personal information very seriously," Cox said in a statement. "While we regret that this incident occurred, our information security program ensured that we were able to react quickly and limit the incident to 61 customers. Cox also promptly reported the incident to the FBI and worked closely with them in their investigation, resulting in the arrest of the perpetrator. We will continue to enhance our privacy and information security programs to protect the personal information that is entrusted to us."