DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Safeguard your network and customer credentials: Tips from the latest FTC data security case

Posted on April 25, 2019 by Dissent

One of the other enforcement actions the FTC has taken stems from the ClixSense breach in 2016. Lesley Fair of the FTC writes:

Suppose a lunch companion says, “I think there’s something wrong with this tuna salad.” To determine if the problem is tuna not to their taste vs. tuna gone bad, would you scarf it down? Probably not. Now remove tuna salad from the example and substitute a web browser extension. (Stay with us here.) Let’s say you’ve been warned that an unknown extension could be used for fraud. Should you download it and let it marinate in your company’s network? The FTC says that’s what the owner of ClixSense.com did, and it’s just one example of conduct challenged as deceptive or unfair.

ClixSense – a sole proprietorship owned by James V. Grago, Jr. – is a rewards website that pays users for clicking on ads, taking online surveys, or completing other tasks. As part of the enrollment process, ClixSense collects users’ full names, addresses, dates of birth, and other personal information. In addition, people must create usernames and passwords and answer security questions. If users earn more than $600 a year from ClixSense, they have to turn over their Social Security numbers, too.

Visitors to ClixSense.com were promised “the latest encryption and security techniques to ensure the security of your account information.” But according to the complaint, at least through 2016, the site didn’t honor that claim. The FTC alleges that ClixSense didn’t perform network vulnerability and penetration testing, didn’t use established techniques to protect against third-party attacks, didn’t implement reasonable access controls, didn’t use techniques to detect cybersecurity events, and didn’t use encryption – among other techniques – to protect sensitive consumer information stored in plain text on its network.

What’s more, the FTC says ClixSense let employees store plain text user credentials in personal email accounts, didn’t change third-party default logins and passwords, failed to use readily available security measures, and maintained consumers’ information, including their Social Security numbers, in clear text on the company’s network and devices.

In November 2015, a user warned ClixSense about a publicly available browser extension that appeared to allow people to click on ads without actually viewing them. To use a term well-known in the industry, the browser extension purportedly facilitated click fraud. And that’s where the iffy tuna salad analogy comes into play, because how did ClixSense respond to the concern about this suspect browser extension? According to the FTC, ClixSense simply downloaded it onto its own network without taking proper precautions. There it sat for months as hackers used it to access credentials on employee laptops, change employees’ logins and passwords, and redirect visitors to an unaffiliated adult website – all clues that should have alerted ClixSense that its network had been compromised.

Ultimately, hackers used credentials lifted from an email on a compromised employee laptop to access an old ClixSense server still connected to the network. That server used the default credentials ClixSense had never changed. If lawsuits were horror movies, this is where you’d cover your eyes and yet still feel compelled to peek at what happened. That’s because hackers used the old server to connect to the new server, which is where they downloaded personal information maintained in clear text on about 6.6 million consumers, 500,000 of them in the U.S. The hackers then offered stolen data for sale on a questionable website.

The complaint challenges the company’s claims about using “the latest security and encryption techniques” as false or misleading. The FTC also alleges that the failure to use reasonable security was an unfair practice.

For people who follow FTC data security enforcement, the proposed order is worth a careful read. Among other things, the order prohibits misrepresentations about the privacy, security, confidentiality, or integrity of personal information, including the extent to which encryption and security techniques are used. In addition, before collecting personal information, Mr. Grago and any company he controls must put a comprehensive information security program in place. The proposed order lists eight specific features the program must have, all tied to the conduct and lapses alleged in the complaint. Also required: periodic third-party security assessments and annual certifications that the requirements of the order are in place. Once the proposed consent agreement is published in the Federal Register, you will have 30 days to file a public comment.

What can other companies take from this case?

Deliver on your security pledges. Security claims are more than cut-and-pasted boilerplate. Like any other objective representation, they need the support of solid substantiation.

Monitor for suspicious activity and respond quickly and thoughtfully. Use affordable tools to alert you to unexplained traffic on your network or changes to your website. If you suspect a security incident, implement a forceful red zone defense. But don’t “investigate” with a wayward click or download your tech team hasn’t thought through. Turn to the FTC’s Data Breach Response publication and video for advice.

A confidential credential can be consequential. Most business people know that certain kinds of data – for example, Social Security numbers and account information – can be toxic to a consumer’s identity if they fall into hackers’ hands. But stolen login credentials can inflict harm, too. Let’s face it: People have been known to use the same username and password on more than one site. Because the theft of a user’s login on your site could serve as a skeleton key to give hackers access to consumers’ bank accounts, medical records, or other highly sensitive information, keep a close eye on credentials. Start with Security has more tips on passwords and authentication.

Following data security developments? The Commission issued a statement today in conjunction with the announcement of this proposed settlement and a separate COPPA action.

Related posts:

  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • Henry Schein settles FTC charges it misled customers about encryption of patient data
  • Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action; Also Agrees to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach
  • FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
Category: Business SectorCommentaries and AnalysesMalwareOf NoteU.S.

Post navigation

← PA: Partners for Quality notifies 3,673 clients after employee email accounts compromised
“FTC gives two companies a slap on the wrist after appalling hacks” →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.