Settlement in Gaming Company Breach FTC Calls for RockYou Fine, Audits

The Federal Trade Commission has reached a settlement with gaming developer RockYou stemming from a breach incident that affected 32 million users.

See Also: Healthcare Breaches - The Next Digital Epidemic

The settlement includes a $250,000 civil penalty and requires the company to submit to biennial independent audits for 20 years. RockYou also must implement and maintain a data security program. And the settlement prohibits the company from making deceptive claims about its privacy and security practices.

In a March 27 statement, the FTC said that RockYou, while touting its security features, failed to protect users' privacy. The FTC also alleged in its complaint against the company that it violated the Children's Online Privacy Protection Act Rule by collecting information from approximately 179,000 children younger than age 13. That violation led to the monetary penalty.

RockYou CEO Lisa Marino said in a statement: "We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout. The event that led to this complaint occurred over two years ago, and we have long since removed the features that led to this investigation."

Case Details

A December 2009 data breach at RockYou exposed username and password details on 32 million individuals, according to news reports. Reports say the usernames and passwords had been stored in clear text on the compromised database.

The FTC complaint explains that RockYou operates a website that allows users to play games and use other applications, such as assemble slide shows from their photos. To save the slide shows, users have to enter an e-mail address and password.

From December 2008 through January 2010, the complaint says that RockYou collected information, such as e-mail address, password, birth year, sex, ZIP code and country information, on children. Under the COPPA Rule, website operators have to notify parents and obtain their consent before collecting, using or disclosing personal information from children under 13.

The security failures of the company's website put the children's personal information at risk, the FTC claims.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network