April 24, 2019

FTC brings enforcement action for deficient cybersecurity practices leading to data breach

The FTC announced a complaint and consent agreement with the website ClixSense (a website that pays users to view advertisements and complete other online tasks), for unfair and deceptive business practices, in violation of the FTC Act, that ultimately resulted in a large-scale data breach. 

The FTC alleges that ClixSense’s customers were deceived because the website falsely claimed that: 1) customer information was being encrypted; and 2) the website employed the latest security techniques.  In fact, the website stored personal information in plaintext rather than encrypting it, and that the website operator’s security techniques did not even meet standards proposed as far back as 2013.  For example, ClixSense failed to perform vulnerability and penetration tests, implement intrusion detection and prevention systems, change default login and password credentials on network assets, use encryption for personal information, and use appropriate logging to assess security incidents.  The FTC also alleges that the failure to implement reasonable security measures was an unfair business practice.

ClixSense’s failure to implement reasonable security measures allowed hackers to exploit a well-known vulnerability, leading to a breach that exposed the records of 6.6 million customers worldwide, and 500,000 in the U.S.  According to the FTC, 2.7 million consumer records, including such information as names, physical addresses and Social Security numbers, were posted for sale online.  

As part of the agreement, ClixSense’s operator, James V. Grago, Jr. is required to obtain independent, biennial audits of the security programs for any of his websites that collect or maintain personal information, and submit an annual compliance certification to the FTC.