The FCC’s Enforcement Bureau (Bureau) has entered into a Consent Decree with TracFone Wireless, Inc. (TracFone) to settle the Bureau’s investigation into alleged violations of the FCC’s rules. The Bureau was specifically investigating whether TracFone: (1) failed to meet its duty to protect the confidentiality of customer proprietary information (PI); (2) impermissibly used, disclosed, or permitted access to individually identifiable customer proprietary network information (CPNI) without customer approval; (3) failed to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI; and (4) engaged in unjust and unreasonable information security practices in connection with three data breaches that occurred between 2021 and 2023. Third-party threat actors gained access to certain TracFone customer information, including PI and CPNI, by exploiting vulnerabilities related to customer-facing TracFone application programming interfaces (APIs). To settle these matters, TracFone will pay a civil penalty of $16,000,000 and develop and implement a compliance plan.
