Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

FTC Charges Two Companies With Exposing Data Via P2P Downloads

Firms did not use reasonable security methods to prevent installation of vulnerable software, FTC alleges

The Federal Trade Commission earlier this month charged two businesses with illegally exposing sensitive personal information of customers by allowing the installation of peer-to-peer file-sharing software in their enterprises.

According to a press release about the charges against EPN Inc. and Franklin's Budget Car Sales Inc., the FTC is alleging that the two companies failed to implement "reasonable security measures" against the installation of P2P software, which is used for trading music and movies, but may leave the involved computers open to data and file theft.

The FTC is seeking settlements with EPN, a debt-collection business, and the auto dealer that will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information. The settlement also would require the companies to establish and maintain comprehensive information security programs.

The FTC alleges that EPN's chief operating officer installed P2P file-sharing software on the EPN computer system, causing sensitive information -- including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients -- to be made available to any computer connected to the P2P network.

The agency charged that EPN did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks.

The settlement order requires EPN to undergo data security audits by independent auditors every other year for 20 years.

In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales (also known as Franklin Toyota/Scion) compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.

Franklin sells and leases cars and provides financing for its customers. According to the FTC, its privacy policy said, “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”

The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.

The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect, and investigate unauthorized access to personal information on its networks, failed to adequately train employees, and failed to employ reasonable measures to respond to unauthorized access to personal information.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CBEAUREGARD481
50%
50%
CBEAUREGARD481,
User Rank: Apprentice
7/30/2012 | 7:07:26 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
More job security for me
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/30/2012 | 11:51:35 PM
re: FTC Charges Two Companies With Exposing Data Via P2P Downloads
The FTC seems to be getting real aggressive with filing suits against companies. They also recently took an action against Wyndham Worldwide in connection with some data breaches that occurred a few years ago. If the government is cracking down, that could force businesses to more aggressively implement best practices and security technologies.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...