Fandango, LLC and Credit Karma, Inc. recently settled with the Federal Trade Commission (FTC) over allegations that the companies failed to safely transmit consumers’ sensitive data despite the companies’ representations to the contrary. The FTC filed two separate complaints against Fandango, which operates a movies application for iOS operating systems, and Credit Karma, which operates an application allowing consumers to monitor and evaluate their credit and other financial information. 

The complaints allege that although the companies promised to protect information in their privacy policies, the two companies failed to provide “reasonable and appropriate security measures.” In particular, the companies did not validate Secure Sockets Layer (SSL) certificates for their iOS applications from March 2009 to March 2013 which, according to the FTC, was necessary to ensure that their applications were connecting to a genuine online service and establishing authentic, encrypted connections with consumers. The FTC alleges that when an application fails to validate SSL certificates, a third party is easily positioned for a “man-in-the-middle attack” whereby the attacker can decrypt, monitor, or alter all communications between the application and the online service. The complaints further allege that the companies failed to maintain an adequate process for receiving and addressing security vulnerability reports from third parties, and as a result of their failures, attackers could have intercepted information, including consumers’ credit card number, security codes, expiration dates, billing zip codes, email addresses, and passwords.

The settlement agreements with Fandango and Credit Karma require that the two companies not misrepresent the extent to which they maintain and protect consumers’ personal information and implement and maintain a “comprehensive security program” designed to both address security risks related to products and service for consumers as well as protect covered information. The companies are also subject to compliance assessments for 20 years. The agreements will be subject to public comment until April 28, 2014, at which time the FTC will decide whether to make the proposed consent orders final. 

Tip: This case demonstrates the FTC’s ongoing focus on data security matters and its continuing willingness to use Section 5 of the FTC Act to bring enforcement action.