Analytics
6/22/2012
02:31 PM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

FTC Charges Two Companies With Exposing Data Via P2P Downloads

Firms did not use reasonable security methods to prevent installation of vulnerable software, FTC alleges

The Federal Trade Commission earlier this month charged two businesses with illegally exposing sensitive personal information of customers by allowing the installation of peer-to-peer file-sharing software in their enterprises.

According to a press release about the charges against EPN Inc. and Franklin's Budget Car Sales Inc., the FTC is alleging that the two companies failed to implement "reasonable security measures" against the installation of P2P software, which is used for trading music and movies, but may leave the involved computers open to data and file theft.

The FTC is seeking settlements with EPN, a debt-collection business, and the auto dealer that will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information. The settlement also would require the companies to establish and maintain comprehensive information security programs.

The FTC alleges that EPN's chief operating officer installed P2P file-sharing software on the EPN computer system, causing sensitive information -- including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients -- to be made available to any computer connected to the P2P network.

The agency charged that EPN did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks.

The settlement order requires EPN to undergo data security audits by independent auditors every other year for 20 years.

In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales (also known as Franklin Toyota/Scion) compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.

Franklin sells and leases cars and provides financing for its customers. According to the FTC, its privacy policy said, “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”

The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.

The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect, and investigate unauthorized access to personal information on its networks, failed to adequately train employees, and failed to employ reasonable measures to respond to unauthorized access to personal information.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CBEAUREGARD481
50%
50%
CBEAUREGARD481,
User Rank: Apprentice
7/30/2012 | 7:07:26 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
More job security for me
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/30/2012 | 11:51:35 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
The FTC seems to be getting real aggressive with filing suits against companies. They also recently took an action against Wyndham Worldwide in connection with some data breaches that occurred a few years ago. If the government is cracking down, that could force businesses to more aggressively implement best practices and security technologies.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.