Dec. 14, 2018
Western Union, Equifax, Priceline, Spark Networks and Credit Sesame Inc. all reached settlements with the New York State Attorney General’s office regarding what the regulator said was a failure to secure sensitive personal and financial data on their mobile apps, according to a release from the regulator.
The NY AG alleged that the five companies had mobile apps with inadequate Transport Layer Security [TLS] thus making them vulnerable to man-in-the-middle attacks when used over public Wi-Fi networks.
The vulnerability left user data such as credit card numbers, bank account numbers, social security numbers and passwords subject to being intercepted using fairly well known techniques by hackers, according to the AG's release.
The AG says that the mobile apps used by these companies failed to properly authenticate SSL/TLS certificates, which left them vulnerable to an attacker impersonating the companies respective servers and intercepting sensitive data entered into the apps.
The companies all told the AG’s office that they employed sufficient protocols to protect information, regulators said they did not sufficiently test whether the mobile apps had these protocols, according to the release. The settlement requires that the companies take sufficient steps to secure these apps.
"Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises," AG Barbara Underwood said in the announcement. "My office is committed to holding businesses accountable and ensure they protect users' personal information from hackers."
The announcement is part of an effort by the AG’s office to examine the security of various sites before consumers fall victim to cyber attacks and other breaches, the regulator said. The AG's office said it has tested dozens of apps and online sites as part of the effort.
"Equifax reached a settlement with the New York Attorney General’s Office about this matter in May of 2017," Meredith Griffanti, a spokesperson for the company said in an email. "The vulnerability mentioned was immediately remediated, and we have no evidence that consumer information was impacted as a result."
Officials at the remaining companies were not immediately available for comment.
Topics: Mobile Apps, Mobile Payments, Money Transfer / P2P, Regulatory Issues, Security
Companies: Priceline Group, Credit Sesame, Equifax, Western Union
Sponsored Links: