The Federal Communications Commission announced in late October that it will begin holding service providers responsible for security breaches affecting their customers’ personal data.
The agency released a statement on Oct. 24 saying it plans to fine TerraCom and Yourtel America, which are both owned and managed by the same parent company, $10 million for failing to properly secure the information of more than 300,000 customers. The FCC alleges that the carriers didn’t take the necessary security precautions and the names, addresses and Social Security numbers of consumers were exposed, eWEEK reported.
The telcos allegedly stored the personal information online without the protection of firewalls, encryption or passwords, according to The Washington Post. In an agency filing, FCC chairman Tom Wheeler stated that the decision to fine the carriers was based on the fact that the providers failed in their duties to protect customer confidentiality by failing to take reasonable steps to secure the compromised data.
The fine is due to personally identifiable information (PII) collected on applicants of the carriers’ government-subsidized Lifeline program being stored on servers accessible to the public. The location of the data was discovered when reported from the Scripps Howard News Service came across the information through a routine Google search. The lax security was then reported to the FCC.
As eWEEK contributor Sean Michael Kerner noted, an attack that leads to the exposure of customer data and a provider leaving consumer information out in the open are two very different things.
The carriers in this case could have easily protected their clients’ data by employing common sense security techniques like encryption and two-factor authentication. Organizations looking to remain compliant and avoid fines from the FCC and other regulatory bodies need to utilize these defense methods and store customer data behind extra layers of security and keep cybercriminals away from sensitive information.