FCC Fines 2 Telecoms Over Security Woes$10 Million Penalty for Exposing Customer Information Online
The Federal Communications Commission has hit two related telecommunications companies with a joint $10 million fine for apparently storing customers' personal information online in a format that was accessible through Internet search results.
TerraCom Inc. and YourTel America Inc., which have common shareholders and share key management employees, were accused of storing sensitive information on 305,000 consumers from September 2012 to April 2013 in a format that was accessible via the Internet, the FCC says. That exposed consumers to potential identity theft and fraud, the agency says.
The information apparently compromised was for customers who were eligible for the Lifeline program, which provides discounted phone services for low-income consumers, the FCC says. Information that may have been accessed online includes Social Security numbers, names, addresses, driver's license numbers and other sensitive information.
Once the two telecom companies learned of the breach, they failed to notify all the affected consumers, authorities allege.
The FCC also alleges that the carriers' failure to reasonably secure their customers' personal information violates the companies' statutory duty under the Communications Act to protect that information, and also constitutes an unjust and unreasonable practice in violation of the Act, given that their data security practices lacked "even the most basic and readily available technologies and security features and thus create an unreasonable risk of unauthorized access."
Plus, the agency alleges that the companies' deceptive and misleading representations of customer privacy protections and their failure to notify customers of the breach also were unreasonable practices.
"Consumers trust that when phone companies ask for their Social Security number, driver's license and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world," says Travis LeBlanc, chief of the FCC's enforcement bureau. "When carriers break that trust, the commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices."
Dale Schmick, chief operating officer of TerraCom and YourTel, tells Information Security Media Group: "In the year and a half since the personal data of Lifeline applications were accessed without authorization, we have worked with our vendors to increase data security technology and procedures and completed multiple security audits to prevent further breaches from taking place. We look forward to working with the FCC to resolve this matter and welcome the opportunity to correct the record with regard to our security processes."
In September, telecommunications company Verizon reached a $7.4 million settlement with the FCC over the company's failure to notify approximately 2 million new customers of their privacy rights, including how to opt out from having their personal information used in marketing campaigns.