"Both Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including social security numbers, but failed to do so," according to the FTC's charges. "These flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk."
Under the terms of the settlement agreement, both companies have agreed "to implement a comprehensive information security program and to obtain independent, third-party security audits every other year for 20 years," said the FTC.
According to the FTC, Ceridian claimed to offer a "comprehensive security program [that] is designed in accordance with ISO 27000 series standards, industry best practices, and federal, state and local regulatory requirements." In fact, Ceridian failed to encrypt personal information, instead storing it in clear text for an indeterminate amount of time.
"These security lapses enabled an intruder to breach one of Ceridian's Web-based payroll processing applications in December 2009, and compromise the personal information--including Social Security numbers and direct deposit information--of approximately 28,000 employees of Ceridian's small business customers," said the FTC.
The second settlement announced by the FTC, meanwhile, involved Lookout Services, which develops Web-based software for verifying employees' work eligibility, to comply with federal immigration laws. Accordingly, the company stores names, addresses, dates of birth, and social security numbers, among other data points. But Lookout failed to store them securely, despite assurances to the contrary, and left them publicly accessible via its website, said the FTC.
In addition, it said, "Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training." As a result, one of its customers was able to access the social security numbers of 37,000 people registered using Lookout's software.
The customer who spotted the information exposure was apparently a Minnesota State University employee, attending a Lookout-run training session in October 2010. According to Minnesota Public Radio, the employee "alerted her supervisor that she could see names, birth dates, and social security numbers for employees at other companies. The employee reported the problem to supervisors and ultimately to Minnesota's Management and Budget Office, which held the contract with Lookout Services."
Lookout reportedly promised a fix, but one month later, sensitive information--some of it relating to Minnesota state employees--was still publicly available via the Lookout website. The state canceled its contract.
But the saga isn't over, as Lookout Services then sued the state for breach of contract. Notably, its contract with Minnesota specified that Lookout wasn't responsible for the security of any data, encrypted or otherwise. Auditor Jim Nobles told Minnesota Public Radio, "they told [the] state in their service agreement that they would not take any responsibility for it, and the state signed the agreement anyway."