Verizon Communications has agreed to pay a $16,000,000 settlement with the Federal Communications Commission (FCC) in the U.S. concerning three data breach incidents at its wholly-owned subsidiary, TracFone Wireless, suffered after its acquisition in 2021.

TracFone is a telecommunications service provider offering services through Total by Verizon Wireless, Straight Talk, and Walmart Family Mobile, among others.

Apart from the hefty civil penalty, the announced settlement agreement requires the communications firm to implement specific measures to increase the level of data security for its customers going forward.

Multiple data breaches

Data breaches at TracFone occurred between 2021 and 2023, involving three separate incidents.

The first, referred to as the ‘Cross-Brand’ incident, was self-reported by TracFone on January 14, 2022. The company discovered it in December 2021, but the investigation showed that the threat actors had access to customer data since January 2021.

With access to sensitive information, including personally identifiable information (PII) and customer proprietary network information (CPNI), the threat actors conducted a high number of unauthorized number porting request approvals.

“In connection with this incident, threat actors exploited certain vulnerabilities related to authentication and a limited number of APIs,” reads the decree.

“By exploiting those vulnerabilities, threat actors were able to gain unauthorized access to certain customer information.”

The other two data breach incidents concern TracFone’s order websites, reported on December 20, 2022, and January 13, 2023, respectively.

In both cases, unauthenticated threat actors exploited a vulnerability to access order information, including certain CPNI and other customer data.

“The threat actor(s) used two different methods to exploit the vulnerability (switching to a second method when TracFone successfully blocked the first),” explains the FCC’s decree document.

“TracFone ultimately implemented a long-term fix for the underlying vulnerability by February 2023.”

The number of exposed individuals and SIM-swapping incidents have been censored in the public version of the Consent Decree document.

The settlement agreement mandates that TrackFone will now have to implement the following measures by February 28, 2025:

• Develop a mandated information security program to reduce API vulnerabilities by adhering to standards like NIST and OWASP, implementing secure API controls, and regularly testing and updating security measures.
• Implement SIM change and port-out protections involving secure authentication for SIM changes and port-out requests, notifying customers of such requests, and offering number transfer PINs.
• Perform information security annual assessments to ensure the program’s effectiveness, with independent third-party evaluations every two years to assess sufficiency and maturity.
• Organize annual employee privacy and security awareness training to enhance their capability to safeguard customer data and comply with security protocols.

BleepingComputer has contacted Verizon and TracFone to ask how many customers were impacted, but we have not received an answer.