Fandango and Credit Karma Get 20 Years For Disabling App Security

Online movie-ticket vendor Fandango and credit-report site Credit Karma face 20 years of security assessments as part of a settlement of charges that they exposed customers’ personal information to identity thieves, the U.S. Federal Trade Commission announced on Tuesday (Aug. 19).

In March, the FTC charged both companies with advertising that they handled payment-card information securely, while actually disabling the default security features of their mobile apps, which would have used SSL certificate verification to protect the information.

According to the FTC complaints, the Fandango iOS app exposed customers’ credit card numbers, security codes, expiration dates, Zip codes, email addresses and passwords. The Credit Karma iOS and Android apps exposed Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses, passwords, credit scores and credit report details such as account names and balances.

Under the settlements, both companies will have to establish comprehensive security programs to address security risks during app development, and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.