These breaches concerned the misuse of utility programming interfaces (APIs), instruments that permit communication between totally different pc applications. APIs are a standard goal for cyber assaults as a result of they permit web sites to entry buyer data.
The settlement, often known as a consent decree, contains measures to strengthen TracFone’s API safety, which is vital as a result of APIs are widespread and infrequently focused by hackers. Loyaan A. Egal, Director of the Enforcement Bureau and Chair of the Privacy and Data Protection Task Force, emphasised the significance of API safety given the delicate buyer data held by carriers.
As a part of the consent decree, TracFone can pay a $16 million civil penalty and implement a number of measures to boost safety.
Establish an data safety program to mitigate API vulnerabilities following requirements from the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP).
Introduce Subscriber Identity Module (SIM) change and port-out safety.
Conduct an annual analysis, together with an unbiased third-party evaluation, of your data safety program.
Provide privateness and safety consciousness coaching to workers and sure third events.
The settlement comes after the FCC fined main wi-fi carriers roughly $200 million for illegally sharing buyer location data with out consent and failing to guard this delicate knowledge.
In 2023, FCC Chairman Jessica Rosenworcel established the Privacy and Data Protection Task Force, an FCC workers working group that focuses on knowledge breaches and cybersecurity vulnerabilities at communications suppliers and coordinates the FCC’s rulemaking, enforcement, and public consciousness efforts on privateness and knowledge safety.