02:31 PM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
Repost This

FTC Charges Two Companies With Exposing Data Via P2P Downloads

Firms did not use reasonable security methods to prevent installation of vulnerable software, FTC alleges

The Federal Trade Commission earlier this month charged two businesses with illegally exposing sensitive personal information of customers by allowing the installation of peer-to-peer file-sharing software in their enterprises.

According to a press release about the charges against EPN Inc. and Franklin's Budget Car Sales Inc., the FTC is alleging that the two companies failed to implement "reasonable security measures" against the installation of P2P software, which is used for trading music and movies, but may leave the involved computers open to data and file theft.

The FTC is seeking settlements with EPN, a debt-collection business, and the auto dealer that will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information. The settlement also would require the companies to establish and maintain comprehensive information security programs.

The FTC alleges that EPN's chief operating officer installed P2P file-sharing software on the EPN computer system, causing sensitive information -- including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients -- to be made available to any computer connected to the P2P network.

The agency charged that EPN did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks.

The settlement order requires EPN to undergo data security audits by independent auditors every other year for 20 years.

In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales (also known as Franklin Toyota/Scion) compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.

Franklin sells and leases cars and provides financing for its customers. According to the FTC, its privacy policy said, “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”

The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.

The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect, and investigate unauthorized access to personal information on its networks, failed to adequately train employees, and failed to employ reasonable measures to respond to unauthorized access to personal information.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/30/2012 | 7:07:26 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
More job security for me
User Rank: Ninja
6/30/2012 | 11:51:35 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
The FTC seems to be getting real aggressive with filing suits against companies. They also recently took an action against Wyndham Worldwide in connection with some data breaches that occurred a few years ago. If the government is cracking down, that could force businesses to more aggressively implement best practices and security technologies.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web