Fake IT admin tricked Cox rep into handing over customer database – cableco fined $600k

Shocked outfoxed Cox docked

US broadband watchdog the FCC has fined Cox Communications $595,000 (£391,000, AU$832,000) after a Lizard Squad hacker swiped its customer records.

The FCC announced the punishment on Thursday, ending an investigation into the 2014 security breach. The fine is the first such penalty the FCC has dished out against a US cable operator.

The regulator said Cox failed to provide adequate security for its customer database, and then failed to notify the commission when the intrusion was discovered.

"Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections," said Travis LeBlanc, FCC enforcement bureau chief.

"This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media."

The breach in question occurred in August of 2014 when, the FCC says, a hacker called "eviljordie" phoned Cox customer service claiming to be an employee in the company's IT department. After tricking the call-center staffer into visiting a fake support website and entering their username and password, the hacker used the login details to access Cox's customer database.

Once in the database, the hacker had control over customer billing information, including names, addresses, payment data, and even partial social security and state ID numbers.

The hacker, later identified as a member of the infamous Lizard Squad hacking team, leaked partial information on eight customers and changed the passwords of 28 others as proof of the breach.

In addition to paying the FCC nearly $600,000, Cox has agreed to implement a stricter security program including regular testing, audits, and monitoring of customer data. The cable giant will also notify all customers whose details were exposed in the breach and pay for a year of credit monitoring.

The FCC said the enforcement decree and its monitoring of Cox will run for a period of seven years. ®


Biting the hand that feeds IT © 1998–2017