Federal Communications Commission DA 24-481
6
to January 2022, threat actors gained access to Customer accounts containing proprietary information,
24
which included certain CPNI and personally identifiable information.
25
After gaining access to the
Customer information, the threat actors completed approximately {[ ]} unauthorized port-outs.
TracFone subsequently worked with those Customers to have the port-outs reversed and return their
service to TracFone, if that was the Customers’ preference.
26
10. In connection with this incident, threat actors exploited certain vulnerabilities related to
authentication and a limited number of APIs. By exploiting those vulnerabilities, threat actors were able
to gain unauthorized access to certain Customer information.
27
11. TracFone informed the Bureau that it took steps to remediate the incident and return all
phone lines to the correct Customers (i.e., port-in the Customers who had experienced an unauthorized
port-out). In January 2022, the Company activated certain port-out notifications to Customers to ensure
that any port-out requests that were received were authorized and intended, and began requiring randomly
generated PINs from Customers to secure and validate their accounts in connection with requests to port
their number to a non-TracFone brand.
28
TracFone also informed the Bureau that it spent several months
investigating, testing, and securing the relevant systems after this attack by the external threat actors and
had remediated all vulnerabilities associated with the Cross-Brand Incident in 2022.
29
12. Order Website Incidents. Following the Cross-Brand Incident, TracFone experienced
two additional incidents, both related to the Company’s order websites (collectively, the Order Website
Incidents). TracFone reported these incidents to the Data Breach Reporting Portal on December 20, 2022,
and January 13, 2023, respectively.
30
The Bureau opened an investigation and issued Letters of Inquiry to
the Company.
31
The Order Website Incidents also involved attacks by external threat actors, which
exposed certain Customer information,
32
and included certain CPNI as well as other Customer
information.
33
13. Both incidents involved exploiting a vulnerability that allowed the threat actor to access
order information (including certain CPNI and other Customer information) without being properly
authenticated. The threat actor(s) used two different methods to exploit the vulnerability (switching to a
24
Id. at 35, Response to Inquiry 5; E-mail from Harley Raff, Associate General Counsel, Verizon, to Shana Yates,
Deputy Chief, Telecommunications Consumers Division, FCC Enforcement Bureau (Sept. 2, 2023, 08:37 EDT).
25
Id. at 13, Response to Inquiry 1.
26
Id. at 35, Response to Inquiry 5.
27
Id. at 7, Response to Inquiry 1.
28
Id. at 7-8, Response to Inquiry 1.
29
Id. at 23, Response to Inquiry 2.
30
FBI/USSS CPNI Data Breach Reporting Portal Report 2022-7262 (Dec. 20, 2022) (on file in EB-TCD-23-
00034682); FBI/USSS CPNI Data Breach Reporting Portal Report 2023-245 (Jan. 13, 2023) (on file in EB-TCD-23-
00034682).
31
See Letter of Inquiry from Kristi Thompson, Chief, Telecommunications Consumers Division, FCC Enforcement
Bureau, to Harley Raff, Counsel, TracFone Wireless, Inc. (Jan. 11, 2023) (on file in EB-TCD-23-00034682) (Order
Website LOI); Supplemental Letter of Inquiry from Kristi Thompson, Chief, Telecommunications Consumers
Division, FCC Enforcement Bureau, to Harley Raff, Counsel, TracFone Wireless, Inc. (May 25, 2023) (on file in
EB-TCD-23-00034682) (Order Website Supplemental LOI).
32
Response to Order Website LOI, from Harley Raff, Associate General Counsel, Verizon, to Shana Yates, Deputy
Division Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, at 11, Response to Inquiry 5
(Feb. 24, 2023) (on file in EB-TCD-00034682) (Order Website LOI Response).
33
Order Website LOI Response at 12, Response to Inquiry 7.