Cyber Incident Victim: Cox Communications
Date:
Mar 2016
Location:
United States of America
Summary
A telecommunications provider experienced a breach involving employee data advertised for sale on a dark web marketplace, with approximately 40,000 records containing names, email addresses, phone numbers, office locations, managerial associations, and login activity details compromised. The exposed information included non-public employee email addresses and credential management timestamps spanning several years, with some entries reflecting recent activity. While the listing suggested potential access to additional data such as customer details, no evidence corroborated this claim. The company confirmed awareness of the incident, initiated a third-party forensic investigation, and collaborated with law enforcement, emphasizing its prioritization of data security and privacy.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early March 2016, Cox Communications, a major U.S. internet and cable service provider, faced a significant data security incident involving the unauthorized exposure of employee information. On March 3, 2016, a listing appeared on The Real Deal Market—a dark web marketplace specializing in stolen data—advertising the personal details of approximately 40,000 Cox employees. The listing claimed to offer names, email addresses, phone numbers, physical addresses, manager names, last login dates, and password reset timestamps. Motherboard, a technology news outlet, obtained and analyzed a sample of 100 employee records from the advertised dataset to verify its authenticity. The sample revealed that many email addresses were not publicly accessible online, though some were discoverable through open sources. Cross-referencing with LinkedIn profiles and other public records confirmed that the names corresponded to actual Cox employees. Physical addresses in the sample predominantly pointed to Cox office locations rather than residential addresses, and some entries contained duplicate records. The login and password reset dates ranged from as early as 2007 to as recent as December 2015, indicating the data spanned multiple years.
Cox Communications confirmed awareness of the incident on the same day the listing surfaced, initiating an immediate response. The company engaged a third-party forensic team to conduct a comprehensive investigation and collaborated with law enforcement agencies. In a public statement, spokesperson Todd Smith emphasized Cox’s commitment to privacy and data security as a top priority but did not disclose specifics about the breach’s origin or attack methodology. The hacker responsible for the listing claimed to have executed the breach and suggested possession of additional data, potentially including customer information, though no evidence supporting this claim was provided to Motherboard during verification. The incident exposed operational details about employee accounts and internal hierarchies but did not conclusively impact customer data based on available evidence. Cox’s investigation focused on determining the full scope of compromised systems, the duration of unauthorized access, and the potential exfiltration of additional sensitive information beyond the employee records offered for sale.