FTC Settles With Companies Over Exposed Records

Ceridian and Lookout Services settle with Federal Trade Commission over unfair and deceptive security practices that exposed sensitive information on 65,000 people.

(click image for larger view)
Slideshow: 10 Massive Security Breaches
Beware poor website data security practices. The Federal Trade Commission on Tuesday said that payroll provider Ceridian and immigration services software provider Lookout Services had settled charges that they failed to put sufficient security measure in place to protect sensitive information relating to 65,000 people.
Both Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including social security numbers, but failed to do so, according to the FTCs charges. These flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk.
Under the terms of the settlement agreement, both companies have agreed to implement a comprehensive information security program and to obtain independent, third-party security audits every other year for 20 years, said the FTC.
According to the FTC, Ceridian claimed to offer a comprehensive security program [that] is designed in accordance with ISO 27000 series standards, industry best practices, and federal, state and local regulatory requirements. In fact, Ceridian failed to encrypt personal information, instead storing it in clear text for an indeterminate amount of time.
These security lapses enabled an intruder to breach one of Ceridians Web-based payroll processing applications in December 2009, and compromise the personal information--including Social Security numbers and direct deposit information--of approximately 28,000 employees of Ceridians small business customers, said the FTC.
The second settlement announced by the FTC, meanwhile, involved Lookout Services, which develops Web-based software for verifying employees work eligibility, to comply with federal immigration laws. Accordingly, the company stores names, addresses, dates of birth, and social security numbers, among other data points. But Lookout failed to store them securely, despite assurances to the contrary, and left them publicly accessible via its website, said the FTC.
In addition, it said, Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result, one of its customers was able to access the social security numbers of 37,000 people registered using Lookouts software.
The customer who spotted the
information exposure
was apparently a Minnesota State University employee, attending a Lookout-run training session in October 2010. According to
Minnesota Public Radio
, the employee alerted her supervisor that she could see names, birth dates, and social security numbers for employees at other companies. The employee reported the problem to supervisors and ultimately to Minnesotas Management and Budget Office, which held the contract with Lookout Services.
Lookout reportedly promised a fix, but one month later, sensitive information--some of it relating to Minnesota state employees--was still publicly available via the Lookout website. The state canceled its contract.
But the saga isnt over, as Lookout Services then sued the state for breach of contract. Notably, its contract with Minnesota specified that Lookout
wasnt responsible
for the security of any data, encrypted or otherwise. Auditor Jim Nobles told Minnesota Public Radio, they told [the] state in their service agreement that they would not take any responsibility for it, and the state signed the agreement anyway.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FTC Settles With Companies Over Exposed Records