Two consumer websites have settled with the Federal Trade Commission (FTC) over allegations that they did not secure consumers’ data, allowing hackers to breach both sites.
The FTC accused the operators of i-Dressup.com of violating the Children’s Online Privacy Protection Act (COPPA), alleging that the website never obtained parental consent before collecting personal information from children under 13. Unixiz, Inc., doing business as i-Dressup.com, and the individually named defendants, CEO Zhijun Liu and Secretary Xichen Zhang, also violated COPPA, and failed to keep the data it collected secure.
The FTC alleged that i-Dressup stored and transmitted users’ personal information in plain text, and failed to adequately test its network, install an intrusion detection and prevention system, or monitor for potential threats. This led to a security breach that compromised the data of approximately 2.1 million users, including around 245,000 users who indicated they were under 13.
As part of the settlement with the FTC, i-Dressup and its owners have agreed to pay $35,000 in civil penalties, and are prohibited from violating COPPA. They are also barred from selling, sharing or collecting any personal information until they implement a comprehensive data security program and obtain independent biennial assessments of this program. They must also provide an annual certification of compliance to the FTC.
In addition, the agency accused online rewards website ClixSense operator James V. Grago, Jr. of deceiving consumers by falsely claiming that the site “utilizes the latest security and encryption techniques to ensure the security of your account information.” Instead, the website failed to implement minimal data security measures, and stored personal information in clear text with no encryption.
As a result, hackers were able to gain access to the company’s network, and steal clear text information about 6.6 million consumers, including around 500,000 U.S. consumers. The hackers then published and offered for sale the personal information of approximately 2.7 million consumers — including full names and addresses, dates of birth, genders, answers to security questions, email addresses and passwords, as well as hundreds of Social Security numbers.
As part of the settlement, Grago is prohibited from falsely claiming the extent of the security provided by any company he owns and operates. In addition, he must implement a comprehensive information security program and obtain independent biennial assessments of this program, as well as provide an annual certification of compliance to the FTC.