DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Interesting closing letter from FTC to Verizon concerning WEP default on older routers

Posted on November 12, 2014 by Dissent

From the FTC

Ms. Dana Rosenfeld
Kelley Drye
Washington Harbour, Suite 400 3050 K Street, NW Washington, D.C. 20007

Dear Ms. Rosenfeld:

UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION WASHINGTON, DC 20580

November 12, 2014

As you know, staff in the Division of Privacy and Identity Protection has conducted an investigation into possible violations of Section 5 of the Federal Trade Commission Act by your client, Verizon Communications, Inc. (“Verizon”). The investigation considered whether Verizon engaged in unfair or deceptive acts or practices by failing to secure, in a reasonable and appropriate manner, the routers it provided to its High Speed Internet (DSL) and FiOS customers.

Among other things, our investigation examined the fact that Verizon regularly shipped routers to consumers with the default security set to an outdated encryption standard known as Wired Equivalent Privacy (“WEP”). Due to certain weaknesses in WEP, the Institute of Electrical and Electronics Engineers (“IEEE”) deprecated this standard in 2004 in favor of a new standard known as Wi-Fi Protected Access (“WPA”), and later, Wi-Fi Protected Access 2 (“WPA2”).1 However, until recently, Verizon continued to ship some router models with the WEP encryption standard. As a result, many Verizon customers still have routers that are set to the outdated WEP standard, leaving them vulnerable to hackers.

Despite this concern, staff has determined to close this investigation. Among the factors we considered were Verizon’s overall data security practices related to its routers, along with efforts by Verizon to mitigate the risk to its customers’ information. Indeed, Verizon has recently taken several steps to address the concerns regarding the security of its customers’ routers. First, the company has pulled all WEP-defaulted routers from its distribution centers and set them to WPA2, ensuring that all routers distributed going forward will be set to WPA2 by default. Second, the company has implemented an outreach campaign targeting customers that are currently using WEP or no encryption and asking these customers to update their security settings to WPA2. Lastly, for those customers that have older routers incompatible with WPA2, the company is offering an opportunity to upgrade to WPA2-compatible units. We encourage consumers to take advantage of these opportunities to update their router security.

We continue to emphasize that data security is an ongoing process. As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly. In the past, defaulting consumer routers to WEP may not have been unreasonable, given concerns about compatibility with older computing devices. However,what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them. As most all consumer devices on the market today are compatible with WPA2,it would likely be unreasonable for Internet Service Providers (“ISPs”) or router manufacturers to continue to default consumer routers to WEP encryption. We hope and expect that all companies that provide consumers with these products will ensure reasonable and appropriate default security settings.

The closing of this investigation is not to be construed as a determination that a violation may not have occurred, just as the pendency of an investigation should not be construed as a determination that a violation has occurred. The Commission reserves the right to take such further action as the public interest may require.

Related posts:

  • ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk
  • Verizon FIOS allegedly hacked; 300,000 records dumped; more than 3 million acquired? NO! (updated to include Verizon statements)
  • FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy
  • FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras
Category: Business SectorCommentaries and Analyses

Post navigation

← Coca-Cola sued over stolen laptops breach
Civilian employee for Coast Guard accused of stealing personal information →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.