FTC Cracking Down on Privacy ViolationsNew Complaint Alleges Data Broker Exposed Consumers to Fraud
Last week, the FTC filed a complaint against a Nevada-based data broker, along with its former CEO, for selling consumers' personal information, such as Social Security and bank account numbers, to third parties that allegedly used that information to make unauthorized charges to consumer bank accounts.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Security experts, including Tom Kellermann, chief cybersecurity officer of Trend Micro, say the FTC's action is a positive step toward ensuring consumer privacy.
"The FTC has awoken to the reality that there can be no privacy without cybersecurity," Kellermann says. "The robust criminal underground had been targeting the data aggregators and credit bureaus for some time now, but never via an overt conspiracy like this."
According to a statement issued by the FTC on Dec. 23, data broker LeapLab, an Arizona-based company that is owned by Nevada-based Sitesearch Corp., allegedly bought and sold payday loan applications submitted by hundreds of thousands of financially struggling U.S. consumers to third-party marketing firms without the consumers' knowledge or consent.
At least one of those marketers, a company known as Ideal Financial Solutions Inc., allegedly used that information from those payday loan applications to post unauthorized charges to consumers' accounts for financial products and services that were never delivered.
According to the FTC's complaint, filed Dec. 22 with a district court in Arizona, Ideal Financial between 2009 and 2013 allegedly purchased payday loan applications provided by at least 2.2 million consumers' to various data brokers, including LeapLab.
The FTC claims that LeapLab sold at least 16 percent of those applications to Ideal Financial.
"The defendants collected hundreds of thousands of payday loan applications from payday loan websites known as publishers," the FTC states. "Publishers typically offer to help consumers obtain payday loans. To do so, they ask for consumers' sensitive financial information to evaluate their loan applications and transfer funds to their bank accounts if the loan is approved. These applications, including those bought and sold by LeapLab, contained the consumer's name, address, phone number, employer, Social Security number, and bank account number, including the bank routing number."
The complaint also alleges that LeapLab hired a key executive from Ideal Financial to be its chief marketing officer and knew at that time that Ideal Financial was using the information it purchased to make fraudulent charges. Still, LeapLab and its CEO at the time, John Ayers, did nothing to stop the illegal activity, according to the complaint.
"This case shows that the illegitimate use of sensitive financial information causes real harm to consumers," says Jessica Rich, director of the FTC's Bureau of Consumer Protection, in the Dec. 23 statement. "Defendants like those in this case harm consumers twice: first by facilitating the theft of their money and second by undermining consumers' confidence about providing their personal information to legitimate lenders."
The estimated amount illegally charged and withdrawn from these consumers' accounts totaled more than $47 million, the FTC claims.
The FTC is asking the Arizona district court to file a permanent injunction against LeapLab to prevent future violations, and it also wants to award relief to consumers who paid unauthorized charges to Ideal Financial. The FTC also asks that its legal fees be paid by the defendants.
Other FTC Actions
Recent charges brought by the FTC against other firms prove the commission is getting more aggressive when it comes to the protection of consumer data.
In March, the FTC settled with online movie-ticket sales provider Fandango and Web-based financial management provider Credit Karma after both companies were charged by the FTC for failing to secure consumer data submitted through their mobile applications (see Fandango, Credit Karma Settle with FTC).
The settlements required Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications, as well as to undergo independent security assessments every other year for the next 20 years.
In November, at the request of the FTC, a federal court agreed to temporarily shut down two telemarketing operations that had allegedly conned tens of thousands of consumers out of more than $120 million. The FTC claimed the two firms deceptively marketed computer security software and tech-support services that were ultimately useless (see FTC Continues Tech-Support Scam Busts).
"These operations prey on consumers' lack of technical knowledge with deceptive pitches and high-pressure tactics to sell useless software and services," said the FTC's Rich in November.
The crackdown came on the heels of a similar federal court crackdown, which, acting again upon the request of the FTC, shut down a fraudulent tech-support site known as Pairsys. Pairsys had allegedly posed as Facebook and Microsoft to fool consumers into paying up to $600 for bogus security tools, the FTC claimed (see FTC Shutters Alleged Tech-Support Scam).