FTC Charges Data Broker with Theft of Consumers’ Information and Money from Accounts

According to a recent Federal Trade Commission complaint, a data broker sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts.  The complaint alleges that data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

According to the FTC’s website and the complaint, these defendants would collect hundreds of thousands of payday loan applications from payday loan websites.  These website applications, including those bought and sold by LeapLab, contained consumers’ sensitive financial information, names, addresses, phone numbers, Social Security numbers and bank account numbers including routing numbers.

The FTC’s complaint alleges that certain non-lender third parties included marketers that made unsolicited sales offers to consumers via email, text message, or telephone calls.  According to the FTC’s complaint, the defendants had reason to believe these marketers had “no legitimate need” for the sensitive information they were selling. The defendants in the case are alleged to have violated the FTC Act’s prohibition on unfair practices.

The FTC notes that it files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the FTC that a proceeding is in the public interest.  We will monitor this case and provide further updates of interest.

Image courtesy of Flickr by John Taylor.

How Your Business Can Avoid a Merchant/Vendor Data Breach

In October 2015, many of the major vendors in the payment processing world will move to a new system for ensuring secure payment transactions.  The new payment systems will be chip-and-PIN or chip-and-signature, depending on the merchant/vendor.  Already successful in the earlier European rollout, the new systems should make information harder to steal and shift some or all of the liability to those vendors that have not become chip-and-PIN compliant.  Further, the Payment Card Industry Data Security Standard (PCI DSS) has issued a set of requirements to ensure that merchants process, store, and transmit encrypted data in a safe environment.

While these measures will help, they won’t eliminate the possibility of data being exposed during the point of sale. So regardless of what solutions are offered to secure data during the point of sale, one thing is for sure: It may not be enough to solve all levels of fraud.

Four Steps Merchants Must Take to Protect Themselves:

  1. Secure your perimeter IT network and web-based applications. Your IT network needs constant security updates/vulnerability assessments to ensure that no openings exist for hackers to compromise your secure data. Above all else, this perimeter or first line of defense system should be upgraded to ensure no areas of weakness exist.
  2. Monitor your systems at all times for suspicious IT and financial traffic. In this fast-driven world, you need constant 24/7 monitoring so your company can detect breaches faster and take immediate actions to stop and mitigate losses.  Vendors and merchants should formalize technologies to notify customers of potential data breaches or threats of same.
  3. Be prepared for the worst. Prepare your company with data breach response training and crisis management in every jurisdiction you are located. Develop processes and periodically perform data breach preparation and readiness training with your employees, and practice with them at various times and under different simulated data breaches.  Considering your company’s level of risk tolerance, you may want to hire a security forensics team before any breach.  Having a forensics team evaluated and retained before a breach occurs allows you to understand what it can and can’t do for your company plus you can evaluate its skills and expertise before using the team.
  4. Purchase data breach insurance. Since this is a new and growing area of coverage, insurance companies can help you focus on what level of coverage the business needs and what is financially at risk. Since insurance companies have checklists and protocols established for data protection, use your insurance company’s checklist/process to confirm that your protection systems meet its underwriting requirements before you purchase the insurance.

All told, there is no simple way to prevent data breaches but with foresight, preparation and an immediate action plan, you can prevent, minimize and respond quickly to any privacy breaches.