The US Federal Trade Commission has agreed to settle two legal cases against two companies that suffered catastrophic hacks in 2016.
Both got the equivalent of a slap on the wrist, despite having appalling security measures, not using any type of encryption, and storing data in plaintext, which, in turn, allowed hackers to steal millions of user records from each.
The biggest of the two hacks took place in September 2016, and targeted ClixSense, a web portal that paid users for completing surveys, watched ads, or performed various other tasks.
Because the company had “failed to implement minimal data security measures an,” the hackers were able to download the personal data of all of ClixSense’s users, over 6.6 million in total.
According to the FTC, hackers stole full names, dates of birth, email and postal addresses, usernames, passwords, and answers to security questions, and even Social Security numbers for some of the site’s users.
The hackers, who have not been identified even to this day, uploaded 2.7 million records on Pastebin where everyone could download the data, and put the rest for sale on the dark web.
But the court documents also reveal details of ClixSense’s hack that have not been made public before. According to court documents, hackers ran amok inside the company’s network, accessing documents, email accounts, and credentials stored on employee laptops; changing employees’ passwords; redirecting email notifications for multiple network and cloud accounts; and even changing DNS records to point the company’s website to an adult-themed website.
Despite the company’s obvious security failings and the damage done to consumers, the FTC has not come down hard on the company, which failed even at the most basic tasks of securing its infrastructure.
Per the settlement, the ClixSense and its CEO, James Grago, must not make false claims about the security and privacy of their service and must obtain independent biennial security assessments.
The FTC also signed a similar, yet just a tad bit harsher settlement, with another company, i-Dressup, which ran a now-defunct eponymous website for children.
This company made the exact same mistakes that ClixSense made –storing personal information in clear text with no encryption– and suffered the same fate, two weeks after ClixSense.
A hacker breached i-Dressup’s website using an SQL injection flaw, downloaded all of the company’s database, which he later uploaded online.
In total, 2.1 million user records were posted online, 245,000 of which belonged to children under the age of 13, at the time of the hack.
And to make matters worse, the hack also exposed that i-Dressup wasn’t following the US Children’s Online Privacy Protection Act, and had been collecting data on children without permission from parents.
The company reached the same no-harm-done agreement with the FTC, as ClixSense, but also agreed to pay an additional $35,000 in civil penalties for COPPA violations.