In a bid to stop data breaches and SIM-swapping attacks on consumers, the FCC is creating a new task force to crack down on US carriers with poor security practices.
The Privacy and Data Protection Task Force promises to show some teeth in reining the telecommunications industry, says FCC Chairwoman Jessica Roscenworcel.
“We are going to bring all of our technical and legal experts together from across the agency to maximize coordination and use the law to get results—by evolving our policies and taking enforcement action,” she said in a speech on Wednesday.
The task force will try to address the data breaches that continue to hit US carriers. In her speech, Rosenworcel alluded to the January breach at T-Mobile, where data on 37 million users was stolen, and then another breach in March at AT&T involving customer data of 9 million wireless accounts.
“Over and over again we are seeing reports of data breaches involving the data carriers have about their customers,” she said.
The other major problem is how scammers continue to successfully manipulate carriers into performing SIM-swapping attacks on their customers, enabling them to hijack their cell phone numbers. The attacks work by stealing a victim’s personal details, and then impersonating them to trick a cellular provider into handing over access to the victim’s cell phone number. The scammer can then use the hijacked phone number to bypass the two-factor authentication on email and bank accounts, thus making SIM swaps one of the most devastating kind of hacks.
“Late last year we had a carrier notify an undisclosed number of its prepaid wireless customers that they had been targeted by SIM-swapping attacks,” Roscenworcel said, likely alluding to Verizon. “As most of this audience knows, SIM swapping is an increasingly popular scam.”
In response, the task force will focus on both modernizing the FCC’s rules on data breaches and conducting enforcement, meaning it’ll go after companies that fail to follow the regulations. In addition, the task force will examine the data the FCC received last year when it asked 15 US carriers about their geolocation data and privacy practices.
That said, the FCC has faced criticism for moving too slow or imposing weak penalties on US carriers. For example, the task force comes nearly two years after the FCC initially announced it was creating rules to stop SIM-swapping attacks. In 2020, the Commission also fined major US carriers for selling their customers' geo-location data to third parties, but the fine was merely a collective $200 million.
Still, Roscenworcel is signaling the FCC is ready to take stronger action. In her speech, she noted the Commission is floating a proposed “enforcement action against two companies that have put the security of communications customers at risk,” without naming the providers.
“??It’s an enforcement action, so I can’t say more right now. But I can say this: right out of the gate, we are showing that this Task Force means business,” Rosenworcel said. She added that the FCC has also “doubled the number of people working on privacy and data security investigations.”