This week, the Federal Communications Commission (FCC) announced a settlement with TracFone Wireless to resolve investigations into whether TracFone failed to reasonably protect its customers’ information from unauthorized access in connection with three data breaches.

The breaches occurred between January 2021 and January 2023. Each of these data breaches involved the exploitation of application programming interfaces (APIs), which allow system programs and components to communicate with each other. The incidents led to unauthorized access to proprietary customer information and personal information. The FCC’s complaint against TracFone stated that TracFone’s alleged failure to reasonably secure customers’ proprietary information violated a carrier’s duty under Section 222 of the Communications Act and constituted an unjust and unreasonable practice in violation of Section 201.. It is also a violation of Section 222 to impermissibly use, disclose, or permit access to customers’ proprietary information without customer approval.

Loyaan A. Egal, Chief of the Enforcement Bureau and Chair of the Privacy and Data Protection Task Force said, “Carriers—and the customer information they have access to—are prime targets for threat actors. The Commission takes matters of consumer privacy, data protection, and cybersecurity seriously, including in the context of emerging security issues. The Enforcement Bureau’s investigations and resulting Consent Decree make clear that API security is paramount and should be on the radar of all carriers.”

In addition to a $16 million civil penalty, the settlement specifically requires TracFone to update its API security, implement an information security program, conduct annual security assessments, and provide privacy and security awareness training to its employees.

[View source.]