Skip to main content

Suppose a lunch companion says, “I think there’s something wrong with this tuna salad.” To determine if the problem is tuna not to their taste vs. tuna gone bad, would you scarf it down? Probably not. Now remove tuna salad from the example and substitute a web browser extension. (Stay with us here.) Let’s say you’ve been warned that an unknown extension could be used for fraud. Should you download it and let it marinate in your company’s network? The FTC says that’s what the owner of ClixSense.com did, and it’s just one example of conduct challenged as deceptive or unfair.

ClixSense – a sole proprietorship owned by James V. Grago, Jr. – is a rewards website that pays users for clicking on ads, taking online surveys, or completing other tasks. As part of the enrollment process, ClixSense collects users’ full names, addresses, dates of birth, and other personal information. In addition, people must create usernames and passwords and answer security questions. If users earn more than $600 a year from ClixSense, they have to turn over their Social Security numbers, too.

Visitors to ClixSense.com were promised “the latest encryption and security techniques to ensure the security of your account information.” But according to the complaint, at least through 2016, the site didn’t honor that claim. The FTC alleges that ClixSense didn’t perform network vulnerability and penetration testing, didn’t use established techniques to protect against third-party attacks, didn’t implement reasonable access controls, didn’t use techniques to detect cybersecurity events, and didn’t use encryption – among other techniques – to protect sensitive consumer information stored in plain text on its network.

What’s more, the FTC says ClixSense let employees store plain text user credentials in personal email accounts, didn’t change third-party default logins and passwords, failed to use readily available security measures, and maintained consumers’ information, including their Social Security numbers, in clear text on the company’s network and devices.

In November 2015, a user warned ClixSense about a publicly available browser extension that appeared to allow people to click on ads without actually viewing them. To use a term well-known in the industry, the browser extension purportedly facilitated click fraud. And that’s where the iffy tuna salad analogy comes into play, because how did ClixSense respond to the concern about this suspect browser extension? According to the FTC, ClixSense simply downloaded it onto its own network without taking proper precautions. There it sat for months as hackers used it to access credentials on employee laptops, change employees’ logins and passwords, and redirect visitors to an unaffiliated adult website – all clues that should have alerted ClixSense that its network had been compromised.

Ultimately, hackers used credentials lifted from an email on a compromised employee laptop to access an old ClixSense server still connected to the network. That server used the default credentials ClixSense had never changed. If lawsuits were horror movies, this is where you’d cover your eyes and yet still feel compelled to peek at what happened. That's because hackers used the old server to connect to the new server, which is where they downloaded personal information maintained in clear text on about 6.6 million consumers, 500,000 of them in the U.S. The hackers then offered stolen data for sale on a questionable website.

The complaint challenges the company’s claims about using “the latest security and encryption techniques” as false or misleading. The FTC also alleges that the failure to use reasonable security was an unfair practice.

For people who follow FTC data security enforcement, the proposed order is worth a careful read. Among other things, the order prohibits misrepresentations about the privacy, security, confidentiality, or integrity of personal information, including the extent to which encryption and security techniques are used. In addition, before collecting personal information, Mr. Grago and any company he controls must put a comprehensive information security program in place. The proposed order lists eight specific features the program must have, all tied to the conduct and lapses alleged in the complaint. Also required: periodic third-party security assessments and annual certifications that the requirements of the order are in place. Once the proposed consent agreement is published in the Federal Register, you will have 30 days to file a public comment.

What can other companies take from this case?

Deliver on your security pledges. Security claims are more than cut-and-pasted boilerplate. Like any other objective representation, they need the support of solid substantiation.

Monitor for suspicious activity and respond quickly and thoughtfully. Use affordable tools to alert you to unexplained traffic on your network or changes to your website. If you suspect a security incident, implement a forceful red zone defense. But don’t “investigate” with a wayward click or download your tech team hasn’t thought through. Turn to the FTC’s Data Breach Response publication and video for advice.

A confidential credential can be consequential. Most business people know that certain kinds of data – for example, Social Security numbers and account information – can be toxic to a consumer’s identity if they fall into hackers’ hands. But stolen login credentials can inflict harm, too. Let’s face it: People have been known to use the same username and password on more than one site. Because the theft of a user’s login on your site could serve as a skeleton key to give hackers access to consumers’ bank accounts, medical records, or other highly sensitive information, keep a close eye on credentials. Start with Security has more tips on passwords and authentication.

Following data security developments? The Commission issued a statement today in conjunction with the announcement of this proposed settlement and a separate COPPA action.
 

 

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

OPSE
June 21, 2019
People in charge of ClixSense are not only incompetent, they are downright dangerous to their users and they should be taken offline before more people get hurt. When the security breach took place, they waited for 2 months before they notified their US based users ONLY. Hapless members from everywhere else in the world have not been officially notified to this day and they keep suffering the consequences. Furthermore, when the hackers had a field day, they proudly announced they would not only circulate all data online, but they would also sell all emails from the company, which include other businesses and individuals and violate their privacy and security. Even worse, they let everyone know they possess the source code for the entire site, which causes even more security issues. What's even more appalling? They did absolutely NOTHING to protect user accounts after allegations of a security breach were made and in fact removed any related announcements / posts, to keep everyone in the dark and sweep their mess under the rag. After all this, one would think they finally learned their lesson and take security and data protection seriously, right? WRONG. They don't even comply with the European Union's GDPR, leaving their European user-base exposed to another breach and rendering their European operations illegal. I can't believe these people are still in business, their neglect and practices are disgusting and they take advantage of their members' ignorance to make a nice profit without caring about data protection and security. This site is an utter joke and you should stay away from them if you value your personal information!

More from the Business Blog

Get Business Blog updates

 
Return to top