FTC settles data breach charges against two firms

Data breaches in late 2009 exposed the personal information of 65,000 consumers, the FTC says

The U.S. Federal Trade Commission will require two companies -- one providing payroll and human resources services and another providing immigration law compliance services -- to undergo independent security audits for 20 years after data breaches exposed the personal information of 65,000 employees of the two companies' business partners.

The FTC, in proposed settlements announced Tuesday, will require payroll and HR firm Ceridian and immigration law services firm Lookout Services to implement comprehensive information security programs and to obtain independent security audits every other year for 20 years.

Both companies promised their business customers they took reasonable measures to protect the data they maintained, but during recent data breaches, thieves were able to gain access to personal records, including Social Security numbers, the FTC said in a press release.

Neither company responded immediately to requests for comments on the proposed settlements.

Ceridian, a provider to businesses of payroll and other human resource services, promised that it maintained "worry-free safety and reliability," the FTC said. The company also said it maintained a comprehensive security program using "industry best practices."

But the company, based in Minneapolis did not adequately protect its network from reasonably foreseeable attacks, and it stored personal information in clear, readable text on its network, the FTC said. The company failed to take "readily available, free or low-cost defenses" against SQL injection attacks, the FTC said in its complaint against the company.

In December 2009, an intruder breached one of Ceridian's Web-based payroll processing applications. The personal information, including Social Security numbers and direct deposit information, of nearly 28,000 employees of Ceridian's small-business customers was compromised in the attack, the FTC said.

The second company, Lookout Services of Bellaire, Texas, markets a product that allows businesses to comply with federal immigration laws. The product stores employee information including names, addresses, dates of birth and Social Security numbers.

Lookout promised that its system kept data reasonably secure, but unauthorized access to sensitive employee information could allegedly be gained without the need for a user name or password, the FTC said. Since 2006, Lookout said in promotional materials: "Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools."

But Lookout did not employ intrusion detection system until October 2009 and did not adequately monitor logs until December 2009, the FTC said in its complaint against the company.

In October and December 2009, an employee of a Lookout customer was able to gain access to the product's database by typing a URL into a Web browser, the FTC said in its complaint. The intruder was able to gain access to personal information, including Social Security numbers, of about 37,000 consumers, the FTC said.

Lookout also failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training, the FTC alleged.

The settlements orders bar the companies from making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected about consumers. The proposed settlements are open to public comment until June 2.

In March, FTC proposed a similar settlement in response to Google exposing personal information of Gmail users when it rolled out its Buzz social-networking service.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags governmentsecurityregulationlegaldata breachU.S. Federal Trade CommissionCivil lawsuitsIdentity fraud / theftCeridianLookout Servicessettlements announced Tuesday

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?