Posts Tagged: Cox Communications


6
Nov 15

FCC Fines Cox $595K Over Lizard Squad Hack

In September 2014, I penned a column called “We Take Your Privacy and Security. Seriously.” It recounted my experience receiving notice from my former Internet service provider — Cox Communications — that a customer service employee had been tricked into giving away my personal information to hackers. This week, the Federal Communications Commission (FCC) fined Cox $595,000 for the incident that affected me and 60 other customers.

coxletterI suspected, but couldn’t prove at the time, that the band of teenage cybercriminals known as the Lizard Squad was behind the attack. According to a press release issued Thursday by the FCC, the intrusion began after LizardSquad member “Evil Jordie” phoned up Cox support pretending to be from the company’s IT department, and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website.

“With those credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers of Cox’s cable customers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers,” the FCC said. “The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.”

My September 2014 column took Cox to task for not requiring two-step authentication for employees: Had the company done so, this phishing attack probably would have failed. As a condition of the settlement with the FCC, the commission said Cox has agreed to adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information, and the FCC will monitor Cox’s compliance with the consent decree for seven years. Continue reading →


29
Sep 14

We Take Your Privacy and Security. Seriously.

“Please note that [COMPANY NAME] takes the security of your personal data very seriously.” If you’ve been on the Internet for any length of time, chances are very good that you’ve received at least one breach notification email or letter that includes some version of this obligatory line. But as far as lines go, this one is about as convincing as the classic break-up line, “It’s not you, it’s me.”

coxletter

I was reminded of the sheer emptiness of this corporate breach-speak approximately two weeks ago, after receiving a snail mail letter from my Internet service provider — Cox Communications. In its letter, the company explained:

“On or about Aug. 13, 2014, “we learned that one of our customer service representatives had her account credentials compromised by an unknown individual. This incident allowed the unauthorized person to view personal information associated with a small number of Cox accounts. The information which could have been viewed included your name, address, email address, your Secret Question/Answer, PIN and in some cases, the last four digits only of your Social Security number or drivers’ license number.”

The letter ended with the textbook offer of free credit monitoring services (through Experian, no less), and the obligatory “Please note that Cox takes the security of your personal data very seriously.” But I wondered how seriously they really take it. So, I called the number on the back of the letter, and was directed to Stephen Boggs, director of public affairs at Cox.

Boggs said that the trouble started after a female customer account representative was “socially engineered” or tricked into giving away her account credentials to a caller posing as a Cox tech support staffer. Boggs informed me that I was one of just 52 customers whose information the attacker(s) looked up after hijacking the customer service rep’s account.

The nature of the attack described by Boggs suggested two things: 1) That the login page that Cox employees use to access customer information is available on the larger Internet (i.e., it is not an internal-only application); and that 2) the customer support representative was able to access that public portal with nothing more than a username and a password.

Boggs either did not want to answer or did not know the answer to my main question: Were Cox customer support employees required to use multi-factor or two-factor authentication to access their accounts? Boggs promised to call back with an definitive response. To Cox’s credit, he did call back a few hours later, and confirmed my suspicions. Continue reading →