Customers who hired the infamous ID theft-protection firm Lifelock to monitor their identities after their data was stolen in a breach were in for a surprise. It turns out Lifelock failed to properly secure their data.
According to a complaint filed in court today by the Federal Trade Commission, Lifelock has failed to adhere to a 2010 order and settlement that required the company to establish and maintain a comprehensive security program to protect sensitive personal data users entrust to the company as part of its identity-theft protection service.
This is ironic, of course, because Lifelock promotes its services to companies that experience data breaches and urges them to offer a complimentary Lifelock subscription to people whose data has been compromised in a breach. To properly monitor victims' credit accounts to protect them against ID theft, Lifelock requires a wealth of sensitive data, including names and addresses, birth dates, Social Security numbers, and bank card information.
...
But it turned out that none of that data was encrypted. The company also had poor password management practices for employees and vendors who accessed the information, and Lifelock failed to limit access to sensitive data to only people who needed access.What's more, the company failed to apply critical security patches and updates to its network and "failed to employ sufficient measures" to detect and prevent unauthorized access to its network, "such as by installing antivirus or antispyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network," the FTC found.
(Score: 5, Interesting) by Anonymous Coward on Thursday July 23 2015, @01:13AM
A couple of things:
(1) Nothing on the internet is completely safe. The only question is how much effort is required to crack it.
(2) The data these guys collect from their customers is primo stuff. That makes them a target worth spending extra resources on cracking because of the high pay-off.
(3) It sounds like they couldn't even be arsed to do the bare minimum, much less secure it to a level proportionate to its value.
(4) That CEO needs to go to jail for fraud.
(Score: 3, Interesting) by dyingtolive on Thursday July 23 2015, @03:57AM
Didn't the CEO get scammed years ago when he put his SSN on TV? Was that a myth?
Did they get a new CEO since then?
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Thursday July 23 2015, @04:28AM
Why does this information need to be on the internet at all?