FCC Plans $10M Fine for Carriers That Breached Consumer Privacy

The Federal Communications Commission (FCC) has levied a $10 million fine on two telecoms companies that allegedly stored the personal data of 300,000 customers online without adequate protection.

The two companies in question – YourTel America and TerraCom – share the same owners and management. From September 2012 to April 2013, both companies allegedly collected personal information from applicants – including social security numbers, dates of birth, addresses, names, and drivers’ license numbers – and then stored it on publicly accessible Internet servers.

The breach was discovered when reporters for the Scripps Howard News Service found the data with a simple Google search. System Compliance | Securious 600

From the FCC Website: Washington, D.C. – The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is a Universal Service Fund program that provides discounted phone services for low-income consumers. The companies allegedly breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud. This is the Commission’s first data security case and the largest privacy action in the Commission’s history.

 “Consumers trust that when phone companies ask for their Social Security number, driver’s license, and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world,” said Travis LeBlanc, Chief of the FCC’s Enforcement Bureau. “When carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”

Pete Woodward comments:
A shocking tale of inappropriate security controls that will cost the companies in question reputational and ultimately financial loss.
ISO27001 certification is a great way to show that you take Information Security seriously. A properly implemented Information Security Management System (ISMS) can provide a systematic approach to keeping confidential and sensitive information secure.”

To discuss any Compliance issues or how we can help you achieve and maintain compliance, give us a call on 01837 871247

Are we there yet?
Data Security Risks every SME should know about