Liisa M. Thomas, Tracy Chau, and Kathryn Smith of SheppardMullin write:
TracFone, the pre-paid phone company, recently settled with the FCC over allegations that the company failed to protect customer information during three different data incidents. According to the FCC, in each of the incidents, threat actors gained access to customer information, including names, addresses, and features to which customers had subscribed. The threat actors were able to gain access by exploiting vulnerabilities in the customer-facing application programming interfaces or APIs.
TracFone reported the initial breach to the FCC in January 2022. It then experienced two additional breaches, of which it notified the FCC in December 2022 and January 2023. (These notices occurred before the recent changes to the FCC’s data breach notification rule.) In both incidents, threat actors again exploited API vulnerabilities, and used those vulnerabilities accessed users’ order information.
Read more at Eye on Privacy.