United States of America: Issued FCC ruling following an investigation into TracFone for allegedly failing to protect its customers data and its cybersecurity practices

On 22 July 2024, the US Federal Trade Commission (FTC) announced a USD 16 million settlement with TracFone Wireless following an investigation into the carrier's data protection and cybersecurity practices. The investigation was opened following three data breaches that occurred between January 2021 and January 2023, which exposed customers' proprietary information, including Customer Proprietary Network Information (CPNI) and Personally Identifiable Information (PII). In particular, the breaches exploited vulnerabilities in TracFone's application programming interfaces (APIs), which are critical for communication between different software systems but also common targets for cyberattacks. The settlement includes measures to enhance TracFone's API security. These measures involve the implementation of an information security program aligned with standards set by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP). In addition, the settlement mandates enhanced Subscriber Identity Module (SIM) change and port-out protections, annual security assessments by independent third parties, and privacy and security awareness training for employees and relevant third parties.