I’ll have to resist making a “Hackers love Cox” joke.
If you’ve ever heard of PHI, PII, or any other industry-specific term for “customer’s private information”, CPNI shouldn’t be too hard of a concept to grasp. Just like PHI refers to your health information stored with, for example, your health insurance provider, CPNI (Customer Proprietary Network Information) refers to personal information stored with your telephone provider. Just like PHI and all the rest, CPNI is, under federal law, considered pretty sacred. So much so, that service providers who mishandle CPNI are subject to six-figure fines per occurrence, per day.
The FCC just handed down such a fine, to the tune of nearly $600,000, after Lizard Squad script kiddie “EvilJordie” (also operating under the alias “GDKJordie”), posing as Cox IT support, socially engineered a Cox representative into entering her work credentials into a webform he controlled. This allowed the child to log into private Cox systems under the representative’s name, giving him unauthorized access to a large amount of CPNI for a short while until the account was disabled.
This fine is a wonderful thing, and we need to start seeing more of them, and for larger amounts.