Atlanta-based digital cable television, internet, and phone services provider Cox Communications has disclosed a data breach that exposed customer information.
Cox said it learned on October 11, 2021, that a hacker impersonated a support agent and gained access to some customers’ personal information.
With over 20,000 employees and 6.5 million customers, Cox ranks as the third-largest cable television provider and seventh telephone carrier in the United States.
The October data breach was the second cybersecurity incident, six months after the ransomware attack that affected Cox Media Group (CMG) in June 2021.
Hackers accessed personally identifiable information (PII) in the Cox data breach
Cox Communications said that the hackers impersonated a support agent and accessed customer account information. The hacker accessed the customer’s name, address, telephone number, username, PIN code, Cox account number, Cox.net email address, account security question and answer, and/or the types of digital services subscribed.
“On October 11, 2021, Cox learned that an unknown person(s) had impersonated a Cox agent and gained access to a small number of customer accounts,” Cox said.
Subsequently, the company launched an internal investigation, took additional steps to secure the affected customer accounts, and notified the relevant law enforcement agencies.
However, the data breach notification did not clarify whether customers’ financial information or passwords were accessed.
Similarly, the company did not disclose whether the data breach affected its partners’ operations. Usually, threat actors target upstream vendors like Cox to compromise their downstream customers through supply chain attacks.
Although subscribers’ financial information was likely not affected, the company advised its customers to monitor their financial accounts for suspicious activity.
Similarly, they should change their passwords on other online accounts that share passwords with the compromised Cox accounts.
Paul Laudanski, Head of Threat Intelligence at Tessian said the Cox Communications data breach highlighted the risk of password reuse. Additionally, he noted that support agent accounts “should be held to a higher security standard than what the agents normally engage in.”
“Passwords and SQ/SA should never be visible, and they should require a higher level of security to prevent account takeover,” he explained. “For instance, take a hacker who’s trying to brute-force their way into an account without knowing the password. The system would then prompt the bad actor for information that only the account holder would know (i.e. the security question and answer).”
Affected customers are also eligible for one-year free credit monitoring services from Experian to protect their accounts from potential identity theft.
Hackers used social engineering tactics to impersonate a Cox support agent
Cox did not disclose the method the hacker used to successfully impersonate the company’s support agent.
However, the technology website Bleeping Computer that also first reported the data breach suggested that the hacker likely used social engineering tactics to breach the company’s support systems.
Cox hackers will likely use the stolen account information to execute more social engineering attacks targeting Cox’s customers by impersonating Cox’s customer support agents.
Consequently, Cox subscribers should remain vigilant of phishing emails purporting to originate from the company’s customer support agents and requesting additional personal information.
“This serves as a reminder that data breaches can happen in many ways and often are the result of human error,” said Matt Sanders, Director of Security at LogRhythm. “Social engineering tactics like impersonating trusted colleagues or partners have proven highly successful time and again.”
James McQuiggan, a security awareness advocate at KnowBe4, said hackers usually leverage human behavior to compromise organizations with astonishing success. He suggested that organizations should educate users on verifying support agents when sharing sensitive information.
“Organizations need to educate users to trust AND verify whom they are speaking with based on the phone number stored in the corporate directory and initiate a call back when sharing sensitive information or accessing any systems. It may be an inconvenience and take a few extra minutes, but that can prevent damage to the organization’s brand and potential loss of revenue.”
Customers should know that a legitimate customer support agent does not request sensitive information such as credit card numbers or passwords. They should also enable two-factor authentication to provide an additional layer of security.
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, noted that data breaches involving the impersonation of support agents have been quite successful.
“There have been several similar breaches that have occurred the past few years due to compromise of internal helpdesk systems, Twitter being the most notable incident,” said Clements. “I believe these point to widespread failures to account for all potential threat vectors when forming an overall security strategy.”
He added that while most people imagine sophisticated data breaches like SolarWinds, routine mundane operations were more common sources of security incidents.
“For example, the most dangerous things we do every day on our computers is email and web browsing, but the banality of those things mean we don’t feel at heightened risk when doing those things.
“This type of information typically isn’t needed by employees to conduct their work, so it should be kept more secure so it doesn’t fall into the wrong hands, which is not what happened in the case of this data breach.”
Cox is hardly the only telecommunications service provider to expose customer information. Other telecom giants like AT&T, Verizon, T-Mobile, and Sprint have suffered similar data breaches in the past few years, exposing troves of customer information.