A pair of websites have settled with the Federal Trade Commission over complaints that they failed to provide sufficient data security.
FTC Chairman Joe Simons has assured legislators the agency will be a forceful enforcer of online privacy and data security.
Settling with the agency were online rewards website ClixSense and games website i-Dressup.com, which agreed to settle the FTC's charges that they both failed to provide reasonable data security, which led to respective breaches by hackers.
The FTC said i-Dressup.com violated the Children's Online Privacy Protection Act (COPPA) by "failing to obtain parental consent before collecting personal information from children under 13 and failing to provide reasonable security for the data i-Dressup collected."
As a result, a hacker got access to approximately 2.1 million users, including almost a quarter million who identified themselves as under 13.
ClixSense was accused of false and deceptive conduct for its cybersecurity claims when, instead, said the FTC, "ClixSense failed to implement minimal data security measures and stored personal information in clear text with no encryption."
The FTC said ClixSense "allowed hackers to gain access to the company’s network through a browser extension that ClixSense downloaded." The result was that hackers obtained "clear text information regarding 6.6 million consumers, including some 500,000 U.S. consumers." The hackers offered up for sale the personal information of 2.7 million people, including "full names and physical addresses, dates of birth, gender, answers to security questions, email addresses and passwords, as well as hundreds of Social Security numbers."
I-Dressup.com will have to pay $35,000 and promise not to violate COPPA again.
ClixSense, and its operator, James V. Grago Jr., have to not misrepresent the site's security anymore--or any other business Grago operators--plus take steps to beef up that security. The votes to settle the complaints were 5-0.