TracFone logo

TracFone will pay $16 million to settle FCC data breach investigation

Following three separate data breaches between 2021 and 2023 which exposed the proprietary information (PI) of TracFone Wireless customers, the Federal Communications Commission (FCC) announced that the Verizon-owned company has agreed to pay a $16 million civil penalty to settle the government investigation, and it has made an agreement to improve its application programming interface  (API) security.

TracFone Wireless Inc. is an American prepay wireless service provider wholly owned by Verizon. TracFone services are used by the brands Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile.

The settlement ends an investigation into TracFone’s security practices to uncover whether the breaches were the result of ineffective cybersecurity protocols. The Enforcement Bureau (EB) of the FCC found that cybercriminals gained access to certain TracFone customer information, including PI and customer proprietary network information (CPNI), by exploiting vulnerabilities related to customer-facing APIs.

APIs allow different computer programs or components to communicate with one another. When the security behind the APIs is not secure enough, cybercriminals can abuse them to gather information without authorization.

The FCC media release explains in detail that it is possible to leverage numerous APIs to access customer information from websites. And according to the FCC’s own Enforcement Bureau, that is exactly what happened at TracFone.

In addition to the civil penalty, the FCC secured extra assignments for TracFone in the Consent Decree:

  • TracFone has to deploy a mandated information security program, with novel provisions to reduce API vulnerabilities in ways consistent with widely accepted standards, like those identified by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP).
  • TracFone must improve protection measures against SIM-swapping. SIM swapping (and the very similar port-out fraud) is the unlawful use of someone’s personal information to steal their phone number and swap or transfer it to another device. With this, criminals can intercept calls, messages, and certain multi-factor authentication (MFA) codes.
  • TracFone has to undergo annual assessments—including by independent third parties—of its information security program.
  • Employees and certain third parties are to receive privacy and security awareness training.

The Enforcement Bureau reported to the FCC that:

“After gaining access to customer information during one of the three breaches, the threat actors completed an undisclosed number of unauthorized port-outs.”

 All this occurs as the FCC has continued a mission against SIM-swapping.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

You can verify whether your information is available online due to data breaches by using the Malwarebytes Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan, and we’ll give you a report. For those whose information was not included, you’ll still likely find other exposures in previous data breaches.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.