Hacker disguised as IT support
The breach in question occurred in August of 2014 when, the FCC says, a hacker called “eviljordie” phoned Cox customer service claiming to be an employee in the company’s IT department. After tricking the call-center staffer into visiting a fake support website and entering their username and password, the hacker used the login details to access Cox’s customer database.
FCC accuses Cox of weak security
The regulator said Cox failed to provide adequate security for its customer database, and then failed to notify the commission when the intrusion was discovered.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Travis LeBlanc, FCC enforcement bureau chief.
FCC Penalties
In addition to paying the FCC nearly $600,000, Cox has agreed to implement a stricter security program including regular testing, audits, and monitoring of customer data. The cable giant will also notify all customers whose details were exposed in the breach and pay for a year of credit monitoring.
Need for employee education
One thing that was not mentioned by the FCC is the need for employee security training. If the Cox Communication’s employee was aware of the potential for this type of phone scam they may have been unwilling to give out network credentials. Test, audits and monitoring are needed but ensuring that employees are trained is just as important.
