Last year, there were over 2,000 confirmed data breaches. While most breaches highlighted in the media occur at large, well-known companies, those that happen at smaller companies can still have a devastating impact on consumers and result in severe consequences. Two unrelated web-based companies, i-Dressup and ClixSense, each failed to provide reasonable data security at their respective organizations, enabling hackers to steal personal information, including social security numbers and IP addresses, of over 12 million consumers combined. These companies recently reached separate settlements with the Federal Trade Commission (FTC), both of which included fines and new standards of care requirements around cybersecurity.
In Part 2 of our series tracking popular settlement actions and court cases, we’ll take a closer look at the data breaches at i-Dressup and ClixSense, the settlement orders issued by the FTC, and what lessons others can learn and apply from these incidents.
i-Dressup Data Breach
On July 15, 2016, i-Dressup, a fashioned-themed flash game website and online community, suffered a catastrophic data breach, compromising the data of 5.5 million members. Most significantly, i-Dressup, popular among teens and young children, violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent before collecting the personal information of children under the age of 13. In April 2019, the FTC finally settled the case with Unixiz, Inc., the California-based company behind i-Dressup.
Discovery of the i-Dressup Data Breach
The i-Dressup data breach was discovered in September 2016 when an unknown person claiming to be the hacker provided Ars Technica (a technology news and information website) and Have I Been Pwned (a free breach notification service website) with 2.2 million account credentials. According to the hacker, there were no adequate security measures in place to keep them or any other cyber-criminal from downloading the entire i-Dressup database containing the unencrypted personal information of over 5.5 million members.
By plugging random email addresses from the hacker’s list of account credentials into the “Forgot Password” section of the i-Dressup website, the two outlets confirmed the emails were all used to register accounts on the site. In addition to email addresses, the hacker provided plain text passwords, usernames, birthdates, genders, and a wealth of other sensitive personal information. Some of this information belonged to 245,000 children under the age of 13.
Ars Technica used the “Contact Us” page on the i-Dressup website to privately notify the company of the breach and security vulnerability but was met with silence. A week later, i-Dressup took down its site without notifying any of its millions of members of the breach.
Allegations Against i-Dressup
In April 2019, the FTC launched a case against i-Dressup. According to the complaint, the FTC alleged that i-Dressup violated provisions of COPPA and risked its members’ data security. COPPA requires companies that provide online services to children under 13 to maintain specific privacy standards like receiving parental consent and providing reasonable data security for its young members. COPPA also gives parents control over what information is collected about their children (i.e., names, addresses, usernames, phone numbers, social security numbers, photographs, or any other identifiable information).
The FTC alleged that when parents declined consent for their children during registration, i-Dressup still retained the personal information submitted, rather than deleting such information. Therefore, by failing to obtain parental consent prior to collecting personal information, i-Dressup failed to meet COPPA’s standards. The parental consent email structure also did not meet COPPA’s standards for ensuring that the person providing consent was the parent of the child.
In addition, i-Dressup allegedly violated COPPA’s data security requirements, which dictates that passwords be encrypted. The FTC complaint highlighted four specific data security inadequacies, stating that i-Dressup:
- Failed to adequately assess the vulnerability of its web applications and network to well-known threats, such as SQL attacks;
- Stored and transmitted members’ personal information (including passwords) in plain text;
- Failed to implement an intrusion detection and prevention system, or similar safeguards, to alert of any potentially unauthorized access to the network; and
- Failed to monitor logs to identify potential security incidents.
Settlement Against i-Dressup
As part of the settlement, i-Dressup and its owners agreed to pay $35,000 in civil penalties, which will go to the US Treasury. i-Dressup is also prohibited from violating COPPA in the future and cannot sell, share, or collect personal information until they implement a comprehensive information security program. The company will also have to execute independent biennial assessments and provide the FTC with an annual certification of compliance. As of February 2020, i-Dressup still has not relaunched their website.
ClixSense Data Breach
ClixSense.com, a website that pays users for watching ads and completing surveys, became the victim of a large-scale data breach in September 2016, exposing the sensitive personal information of over 6.6 million users. The breach revealed a lack of basic security best practices, which led to the compromise of ClixSense’s servers, networks, and domains. In April 2019, the FTC issued its complaint against ClixSense. Because ClixSense is a small business, the consent order’s provisions and requirements significantly impacts its operations.
Discovery of the ClixSense Data Breach
Since ClixSense had such low overhead costs, the company operated as a sole proprietorship with James Grago as the sole owner. In November 2015, a ClixSense user told Grago about a web browser extension that could facilitate click fraud, allowing users to be paid for advertisements that they did not watch. Concerned about a potential scam, Grago downloaded the browser extension onto a computer connected to the ClixSense network in February 2016.
Over the next few months, hackers were able to use this browser extension as an entry point to obtain information stored on ClixSense’s network and to enable additional attacks, which involved:
- Deleting content from the ClixSense website
- Accessing documents, emails, and other credentials on employee laptops
- Changing employee logins and passwords
- Redirecting email notifications for multiple network accounts, including the website’s Cloud and DNS host services
The attack became apparent when the hackers redirected the ClixSense website to an unaffiliated adult-themed website.
In September 2016, one of the hackers obtained credentials from a compromised employee’s company laptop to access an old ClixSense server. The server credentials were never changed from the default. Since the old server was still connected to the ClixSense network where consumer personal information was stored, the hacker downloaded a copy of the ClixSense user table, which contained the plain text information of 6.6 million users – 500,000 of which were U.S. users.
Following the attack, the hacker posted a message on PasteBin.com, a website used for storing and sharing plain text data, advertising the stolen data of 2.2 million ClixSense users and auctioning off the data of the remaining 4.4 million users and the website source code.
Have I Been Pwnd? verified the breach, and Grago sent Ars Technica a private message confirming the data breach of 6.6 million accounts shortly after. ClixSense terminated the old, vulnerable server in response to the breach and required users to change their passwords and fill out their account details once more. Although ClixSense published an announcement of the data breach on their website, they did not send out individual breach notification emails to U.S. consumers for two months. In addition, ClixSense did not provide any details regarding what steps had been taken to secure user accounts.
Allegations Against ClixSense
In the complaint against ClixSense, the FTC alleged that the website’s inadequate data security measures allowed hackers to gain access to consumers’ sensitive information through the company’s network. The FTC claimed that ClixSense did not adopt the minimum data security protections necessary by most data security standards.
Ultimately, though, the FTC took action against ClixSense because they engaged in deceptive practices by promising the latest security and encryption techniques though they were not in place and instead used unfair practices through their failure to use reasonable security to secure users’ account information. The FTC’s complaint found ClixSense guilty on three separate accounts:
- Count 1 – Deception: Misrepresentation about Encryption
- Failed to use encryption to protect users’ personal information
- Failed to employ transport layer security
- Count 2 – Deception: Misrepresentation about Latest Security Techniques
- Failed to perform vulnerability and penetration testing of the network
- Failed to use intrusion detection and prevention systems
- Failed to assess cybersecurity events
- Failed to monitor unauthorized attempts to exfiltrate users’ personal information
- Count 3 – Unfairness: Failure to Employ Reasonable Security Practices
- Failed to prevent employees from storing plain text user credentials in personal email accounts and on ClixSense’s laptops
- Failed to change default login and password credentials for network resources
ClixSense was also found to lack a proper business continuity plan, as they did not restore user accounts from a backup after deleting the old, vulnerable server due to the amount of time and effort involved. Instead, they required these users to provide their personal information again.
Settlement Against ClixSense (and Grago)
On July 2, 2019, the FTC reached a comprehensive settlement with ClixSense and Grago, its sole operator. While ClixSense engaged in unreasonable security practices and failed to implement basic data security practices, the penalties outlined in the settlement are placed on Grago himself. The settlement states that any business controlled by Grago that collects personal consumer information will be required to:
- Maintain a comprehensive information security (IS) program that includes regular testing, monitoring, and employee training
- Retain an independent, third-party vendor to assess the compliance with and effectiveness of the IS program on a biannual basis
- Submit the compliance assessment reports to the FTC
- Refrain from any misrepresentations about privacy or security of personal information
- Provide the FTC with an annual certification regarding the compliance with the order and a brief description of any actual or suspected data breach that is reported
In addition, Grago must inform the FTC of the goods and services offered, all advertising and marketing, selling practices, and contact information of any business in which he has a role. All of this must be updated within 14 days of any changes. Grago must also keep accounting and personal records, copies of all the privacy- and consumer-related complaints, and copies of the privacy and security statements made by the businesses he operates for the next five years.
All of the provisions set forth by the FTC against Grago must be upheld for the next 20 years. If Grago violates any of the orders and the FTC or Justice Department files a lawsuit for his infringements, the 20-year sentence will restart. Less than 30 days after the settlement was reached, ClixSense relaunched their website and services under the name of ySense without any mention of a previous data breach.
Operating a business without adequate security measures in place is a massive risk, as was illustrated through the i-Dressup and ClixSense cases. Both failed to implement the right security measures and each fell victim to a severe data breach. Fortunately, there are many steps you can take to help protect your business from a data breach and minimize the disruption in the event of a disaster. The standards of care outlined in the FTC cases following these breaches indicate that the measures below can help minimize the risk of a breach and the impact of an incident.
Implement a Comprehensive Security Program: A security program is your company’s information security policies, processes, guidelines, and standards. It works to ensure the proper preventative measures are in place to protect your data, analyze suspicious activity, manage risk, and provide remediation if a breach does occur. In the cases of i-Dressup and ClixSense, an effective security program could have detected the unauthorized access, potentially preventing both data breaches.
Annually Conduct Third-Party Assessments: Working with an independent third-party to assess your cybersecurity efforts can help your organization learn more about how your data is being used, stored, who has access to it, and whether it is encrypted. Assessors perform employee interviews, independent samplings, and document reviews to evaluate the maturity of your cybersecurity program and help you gain a better understanding of the risks you’re facing. Based on the results, changes can be made to your information security program to better address these detected risks and further secure the sensitive personal information your organization handles.
Document Information Security Policies and Procedures: Both i-Dressup and ClixSense are now required to annually demonstrate their compliance with the FTC settlement requirements. This means they must maintain detailed documentation of their information security program, controls, and policies. Properly documenting security measures and policies is a practice every organization should do. This documentation helps streamline compliance with regulations and standards and can also make response processes run smoother in the event of an incident.
Train and Educate Employees: Many data breaches (especially in the case with ClixSense) occur due to human error. For ClixSense, a server’s credentials were not changed from the default, which allowed the hacker to easily gain access, and Grago downloaded a malicious browser extension without having implemented any security precautions. Training employees to change default credentials on all devices, generate strong passwords, implement a two-step verification process, and identify common attack methods can play an important role in enhancing your company’s protection against a breach.
Develop an Incident Response Plan: Developing a comprehensive breach preparedness plan can help your business take swift action in the event of a breach, satisfying the appropriate data breach laws and outlining the next steps following the breach. Having a good response plan will help you respond to a breach quickly, limit its damage, and understand what information was exposed, which will help to lower reputational damage and increase consumer trust.
Want more risk management insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.