TracFone Wireless, a subsidiary of Verizon, has agreed to pay a $16 million civil penalty imposed by the FCC due to three data breaches that occurred between January 2021 and January 2023. The breaches involved port-out fraud and unauthorized access to order information on TracFone’s website.

Port-out fraud is when criminals use stolen personal information to trick a wireless carrier into transferring a customer’s account to another carrier without permission. This allows attackers to take control of the victim’s phone and access sensitive information like bank accounts and credit cards.

Similarly, SIM swap involves thieves pretending to be customers to get a new SIM card from the carrier. Once activated, the thief can hijack the customer’s account and access their personal information.

To address these vulnerabilities, TracFone has agreed to pay the civil penalty and implement an information security program to reduce API vulnerabilities. The company will also enhance its defenses against SIM swaps and port-out fraud, as well as provide privacy and security training for employees.

The FCC requires carriers to take reasonable measures to protect customer data, as outlined in Section 222 of the Communications Act. TracFone, known for brands like Straight Talk and Total by Verizon Wireless, was acquired by Verizon for over $6 billion in cash and stock in November 2021.

By addressing these security flaws and enhancing its cybersecurity measures, TracFone aims to better protect its customers’ personal information from unauthorized access and potential attacks.