Fandango, Credit Karma Settle FTC Charges in Data Security Case

Sends strong message to companies to tighten procedures

The Federal Trade Commission continues to step up its data security enforcement in an attempt to stop data breaches before they harm consumers. On Friday, the agency announced Fandango and Credit Karma agreed to settle charges the companies misrepresented the security of their mobile apps.

Although neither company experienced a data breach, the FTC found that the apps failed to take reasonable steps to make sure that when consumers bought movie tickets from Fandango and Credit Karma the transmission of consumers' sensitive personal information like credit card and social security numbers were secure. In short, the companies flunked data security 101, according to the FTC.

Without going into the technical details, the FTC found that the security system used by the apps made it vulnerable to "man-in-the-middle" attackers that could intercept consumers' personal information because the companies failed to properly encrypt information. Instead of using what is known as a secure sockets layer or SSL that would help secure the sensitive transactions, Fandango and Credit Karma over-rode the default validation process. On top of that, the companies didn't test the app properly before it went to market, and then ignored security warnings from third parties because the companies lacked an adequate process for receiving and addressing security vulnerabilities.

Luckily, no consumer's personal information was compromised. But the FTC concluded it could have been, sending a strong message to companies to tighten up data security programs.

"The FTC isn't just looking to see if something bad happened; they're getting technical and looking at process," said Jules Polonetsky, director of The Future of Privacy Forum. "If you don't have a credible security program in place, you are violating reasonable FTC standards."

Data security has been an increasing enforcement priority for the FTC, which has brought more than 50 data security cases under the agency's unfair and deceptive authority. The FTC would like to do more, which is why FTC chairwoman Edith Ramirez has been making the rounds lately in Washington and before Congress advocating for data security legislation, such as Sen. Jay Rockefeller's (D-W.Va.) bill that would give the FTC the authority to set data security standards.

"Companies are still not putting in place appropriate security measures," Ramirez said in an interview on C-Span's Communicators.

Recommended articles