The Federal Communications Commission (FCC) announced Monday that Verizon-owned TracFone Wireless will pay a $16 million civil penalty to end an investigation into how its alleged failure to safeguard consumer data led to three data breaches across two years.

The breaches resulted from malicious use of application programing interfaces (APIs), which enable communications between computer programs or components, an FCC press release said.

APIs are often used to obtain customer information maintained on websites. The FCC suggested the breaches compromised consumer privacy and were the result of ineffective cybersecurity protocols.

The settlement requires TracFone to bolster its API security, an action the agency called critical  due to how pervasive APIs are and how many unauthorized actors use them to breach websites.

TracFone’s poor security practices are especially notable because the brand’s anonymous phone service, commonly known for enabling “burner” phones, is built to accommodate consumers’ desire for privacy.

The breaches compromised customers’ network information , personally identifiable information and “numerous unauthorized port-outs.”

The settlement between the FCC and TracFone was first reported by CyberScoop.

TracFone did not immediately respond to a request for comment.

“The Commission takes matters of consumer privacy, data protection, and cybersecurity seriously, including in the context of emerging security issues,” Loyaan Egal, who chairs the FCC’s enforcement bureau and newly formed privacy and data task force, said in a prepared statement. “API security is paramount and should be on the radar of all carriers.” 

TracFone services are used by the brands Straight Talk, Total by Verizon Wireless and Walmart Family Mobile. Verizon bought the company in November 2021, two months before the first of the three breaches.

In addition to the $16 million fine, the settlement requires TracFone to:·       

• Create an information security program including “novel provisions” diminishing API vulnerabilities and do so using standards set by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP)

• Change its subscriber identity module, commonly known as SIM, and port-out safeguards

• Undergo annual third party assessments of its new information security program

• Train employees and third parties working with it to better understand privacy and security requirements