Verizon to pay $16 million settlement over TracFone data breaches

Verizon Communications has reached a $16 million settlement with the Federal Communications Commission (FCC) in response to three data breach incidents at its subsidiary, TracFone Wireless. The breaches, which occurred between 2021 and 2023, compromised customer data and led to unauthorized access to sensitive information.

TracFone, a telecommunications provider offering services through brands like Total by Verizon Wireless, Straight Talk, and Walmart Family Mobile, experienced its first significant breach, known as the ’Cross-Brand’ incident, which was self-reported on January 14, 2022. Although the breach was discovered in December 2021, the investigation revealed that threat actors had accessed customer data since January 2021. The attackers exploited vulnerabilities in authentication and certain APIs to gain unauthorized access to personally identifiable information (PII) and customer proprietary network information (CPNI), leading to unauthorized number porting requests.

Two additional breaches were reported on December 20, 2022, and January 13, 2023. These incidents involved vulnerabilities in TracFone’s order websites, allowing unauthenticated actors to access order information, including CPNI and other customer data. The FCC noted that the attackers used two methods to exploit the vulnerabilities, switching tactics when TracFone blocked the first method. The company implemented a long-term fix by February 2023.

The public version of the Consent Decree document does not disclose the number of individuals affected by these breaches or the extent of SIM-swapping incidents.

As part of the settlement, Verizon has agreed to enhance data security measures at TracFone by February 28, 2025. These measures include developing a mandated information security program to address API vulnerabilities, implementing secure authentication for SIM changes and port-out requests, conducting annual information security assessments, and organizing annual privacy and security training for employees.

Despite the settlement, Verizon and TracFone have not disclosed the number of customers impacted by the breaches.