The New York Attorney General settled cases with five companies – Equifax, Western Union, Priceline.com, Spark Network and Credit Sesame – for having mobile apps that failed to keep sensitive user data secure when transmitted over the Internet. The companies’ mobile apps suffered from a well-known security vulnerability that could have allowed hackers to intercept users’ sensitive information such as passwords, social security numbers, credit card numbers and bank account numbers.
The settlements, which do not impose fines, require the companies to implement comprehensive data security programs to address the mobile apps’ security flaws that left the apps vulnerable to fairly well-known hacking techniques. Although the companies represented to users that it would use reasonable security measures to protect users’ information, certain versions of the companies’ apps failed to properly authenticate SSL/TLS certificates, which help establish a secure connection between a mobile device and computer server. This failure left app users who had connected to public Wi-Fi networks vulnerable to so-called “man-in-the-middle attacks,” in which a hacker impersonates a company’s servers and intercepts information users type into the app. Despite this data security representations to users, the companies failed to sufficiently test whether their mobile apps had this vulnerability.
The settlements are part of the New York Attorney General’s initiative to find and patch security vulnerabilities before user information is compromised.
Takeaway: As we have previously written, federal and state regulators appear to be ramping up their enforcement against companies who fail to provide sufficient data security policies to protect users’ information.