Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


FTC Charges Two Companies With Exposing Data Via P2P Downloads

Firms did not use reasonable security methods to prevent installation of vulnerable software, FTC alleges

The Federal Trade Commission earlier this month charged two businesses with illegally exposing sensitive personal information of customers by allowing the installation of peer-to-peer file-sharing software in their enterprises.

According to a press release about the charges against EPN Inc. and Franklin's Budget Car Sales Inc., the FTC is alleging that the two companies failed to implement "reasonable security measures" against the installation of P2P software, which is used for trading music and movies, but may leave the involved computers open to data and file theft.

The FTC is seeking settlements with EPN, a debt-collection business, and the auto dealer that will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information. The settlement also would require the companies to establish and maintain comprehensive information security programs.

The FTC alleges that EPN's chief operating officer installed P2P file-sharing software on the EPN computer system, causing sensitive information -- including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients -- to be made available to any computer connected to the P2P network.

The agency charged that EPN did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks.

The settlement order requires EPN to undergo data security audits by independent auditors every other year for 20 years.

In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales (also known as Franklin Toyota/Scion) compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.

Franklin sells and leases cars and provides financing for its customers. According to the FTC, its privacy policy said, “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”

The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.

The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect, and investigate unauthorized access to personal information on its networks, failed to adequately train employees, and failed to employ reasonable measures to respond to unauthorized access to personal information.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/30/2012 | 7:07:26 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
More job security for me
User Rank: Ninja
6/30/2012 | 11:51:35 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
The FTC seems to be getting real aggressive with filing suits against companies. They also recently took an action against Wyndham Worldwide in connection with some data breaches that occurred a few years ago. If the government is cracking down, that could force businesses to more aggressively implement best practices and security technologies.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...