Equifax Settles With NY AG Over App Security

Equifax

The Office of the New York State Attorney General Barbara Underwood announced late last week it reached settlements with five companies whose mobile apps failed to keep user data safe when it was being sent over the internet.

According to a statement from Underwood, the AG settled with Western Union Financial Services, Priceline, Equifax, Spark Networks and Credit Sesame.  Underwood said all five companies had mobile apps that had a well-known security vulnerability that enabled hackers to intercept private data including passwords, social security numbers, credit card account numbers and bank account information. The AG said all five companies told users that their data was protected but failed to test their apps against this known vulnerability. The companies under the settlement have to put in place comprehensive security that protects users’ data. “Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises,” said Attorney General Underwood said in a press release announcing the settlement. “My office is committed to holding businesses accountable and ensuring they protect users’ personal information from hackers.”

It is well known that consumers surfing the web in public places such as an airport or coffee shop via a public WiFi network are at risk of having sensitive data intercepted by hackers if their systems aren’t protected. To protect users, mobile web browsers and apps typically use the Transport Layer Security protocol to ensure data is encrypted before being sent over the internet. Apps that don’t have the proper certificate could fall victim to these man-in-the-middle attacks, even if the information is encrypted. While it is well-known in the industry for what AG Underwood said is years, the companies failed to properly authenticate the certificates they received. That resulted in the chance that a hacker could intercept information the user enters into the app. Armed with that information, the hacker could engage in nefarious activities such as identity theft and credit card fraud, the AG said.