FTC settles data breach charges against two firms

Data breaches in late 2009 exposed the personal information of 65,000 consumers, the FTC says

The U.S. Federal Trade Commission will require two companies -- one providing payroll and human resources services and another providing immigration law compliance services -- to undergo independent security audits for 20 years after data breaches exposed the personal information of 65,000 employees of the two companies' business partners.

The FTC, in proposed settlements announced Tuesday, will require payroll and HR firm Ceridian and immigration law services firm Lookout Services to implement comprehensive information security programs and to obtain independent security audits every other year for 20 years.

Both companies promised their business customers they took reasonable measures to protect the data they maintained, but during recent data breaches, thieves were able to gain access to personal records, including Social Security numbers, the FTC said in a press release.

Neither company responded immediately to requests for comments on the proposed settlements.

Ceridian, a provider to businesses of payroll and other human resource services, promised that it maintained "worry-free safety and reliability," the FTC said. The company also said it maintained a comprehensive security program using "industry best practices."

But the company, based in Minneapolis did not adequately protect its network from reasonably foreseeable attacks, and it stored personal information in clear, readable text on its network, the FTC said. The company failed to take "readily available, free or low-cost defenses" against SQL injection attacks, the FTC said in its complaint against the company.

In December 2009, an intruder breached one of Ceridian's Web-based payroll processing applications. The personal information, including Social Security numbers and direct deposit information, of nearly 28,000 employees of Ceridian's small-business customers was compromised in the attack, the FTC said.

The second company, Lookout Services of Bellaire, Texas, markets a product that allows businesses to comply with federal immigration laws. The product stores employee information including names, addresses, dates of birth and Social Security numbers.

Lookout promised that its system kept data reasonably secure, but unauthorized access to sensitive employee information could allegedly be gained without the need for a user name or password, the FTC said. Since 2006, Lookout said in promotional materials: "Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools."

But Lookout did not employ intrusion detection system until October 2009 and did not adequately monitor logs until December 2009, the FTC said in its complaint against the company.

In October and December 2009, an employee of a Lookout customer was able to gain access to the product's database by typing a URL into a Web browser, the FTC said in its complaint. The intruder was able to gain access to personal information, including Social Security numbers, of about 37,000 consumers, the FTC said.

Lookout also failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training, the FTC alleged.

The settlements orders bar the companies from making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected about consumers. The proposed settlements are open to public comment until June 2.

In March, FTC proposed a similar settlement in response to Google exposing personal information of Gmail users when it rolled out its Buzz social-networking service.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the PC World newsletter!

Error: Please check your email address.

Tags U.S. Federal Trade Commissionregulationsecuritydata breachCivil lawsuitslegalCeridiangovernmentIdentity fraud / theftLookout Servicessettlements announced Tuesday

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?