FTC Alleges Operators of Two Commercial Websites Failed to Protect Consumers’ Data

The operators of an online rewards website and a dress-up games website have separately agreed to settle Federal Trade Commission allegations that they failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.

In a complaint filed by the Department of Justice on behalf of the Commission, the FTC alleged that the operators of i-Dressup.com violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent before collecting personal information from children under 13 and failing to provide reasonable security for the data i-Dressup collected.

In a separate action against the operators of the online rewards website ClixSense.com, the FTC alleged that the website’s inadequate security allowed hackers to gain access to consumers’ sensitive information through the company’s network.

Allegations against ClixSense

ClixSense pays its users to view advertisements, perform online tasks, and complete online surveys. The company collects personal information from users, such as their full names, dates of birth, email and postal addresses, usernames, passwords, and answers to security questions, as well as Social Security numbers for those who make more than $600 a month.

In its complaint against ClixSense, the FTC alleges that the website’s operator, James V. Grago, Jr., deceived consumers by falsely claiming that ClixSense “utilizes the latest security and encryption techniques to ensure the security of your account information.” In fact, ClixSense failed to implement minimal data security measures and stored personal information in clear text with no encryption. The complaint also alleges that ClixSense failed to implement readily available measures to limit access between computers on ClixSense’s network; failed to change default login and password credentials for third-party company network resources; and maintained consumers’ personal information, including consumers’ names, dates of birth, answers to security questions, login and password credentials, and Social Security numbers, in clear text.

The FTC alleges that ClixSense’s failures allowed hackers to gain access to the company’s network through a browser extension that ClixSense downloaded. The complaint notes that ClixSense was put on notice that the company’s network was compromised based on clues left by the hackers. For example, hackers accessed documents, email accounts, and credentials stored on employee laptops; changed employees’ logins and passwords; redirected email notifications for multiple network accounts, including ClixSense’s cloud and Domain Name System (DNS) host services; and redirected visitors to the ClixSense website to an unaffiliated adult-themed website.

As a result of ClixSense’s data security failures, the hackers downloaded a document from ClixSense that contained clear text information regarding 6.6 million consumers, including some 500,000 U.S. consumers. The hackers then published and offered for sale, on a website known for posting security exploits, personal information pertaining to approximately 2.7 million consumers, including full names and physical addresses, dates of birth, gender, answers to security questions, email addresses and passwords, as well as hundreds of Social Security numbers.

As part of the settlement, Grago is prohibited from misrepresenting the extent to which any company he controls protects the privacy, security, confidentiality, or integrity of personal information it collects. If any company he controls collects or maintains personal information, Grago must implement a comprehensive information security program and obtain independent biennial assessments of this program. In addition, Grago also is prohibited from making misrepresentations to the third party performing the biennial assessments of any information security program, and must provide an annual certification of compliance to the Commission.

Allegations against i-Dressup

The FTC alleges that Unixiz, Inc., doing business as i-Dressup.com, and the individually named defendants CEO Zhijun Liu and Secretary Xichen Zhang, violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 and provide reasonable and appropriate security for the data i-Dressup collected.

The i-Dressup.com website allowed users, including children, to play dress-up games, design clothes, and decorate their online spaces. It also included an online community where users could create personal profiles and interact with other users.

To gain access to all the features on the website, including the social features, users had to register as members, requiring them to submit a user name, password, birthdate, and email address. If a user indicated he or she was under 13, the registration field asked for a parent’s email. When a user clicked the “Join Now” button, an email notice was sent to the parental email address the user entered. In that email, parents could provide consent by clicking the “Activate Now” button in the email.

If a parent declined to provide consent, the under-13 users were given a “Safe Mode” membership allowing them to login to access i-Dressup’s games and features but not its social features. The FTC alleges, however, that i-Dressup still collected personal information from these children even if their parents did not provide consent.

In addition to violating the parental consent requirements, the FTC also alleges that i-Dressup and its operators failed to comply with COPPA’s requirement to keep the data it collected secure. The FTC alleges i-Dressup stored and transmitted users’ personal information in plain text and failed to perform vulnerability testing of its network, implement an intrusion detection and prevention system, and monitor for potential security incidents. These failures led to a security breach. The operators of i-Dressup discovered in September 2016 that a hacker had accessed their computer network and information about consumers, including children who used i-Dressup. The hacker accessed the information of approximately 2.1 million users—including approximately 245,000 users who indicated they were under 13.

As part of the proposed settlement with the FTC, i-Dressup and its owners have agreed to pay $35,000 in civil penalties, and are prohibited from violating COPPA. In addition, they are barred from selling, sharing, or collecting any personal information until they implement a comprehensive data security program to protect the information and obtain independent biennial assessments of this program. They also are prohibited from making misrepresentations to the third party performing the assessments of the information security program, and must provide an annual certification of compliance to the Commission.

The Commission vote authorizing the staff to file the i-Dressup federal complaint and stipulated final order was 5-0. The complaint and stipulated final order was filed in the U.S. District Court for the Northern District of California. The Commission files a federal court complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The Commission vote to issue the administrative complaint and to accept the consent agreement with ClixSense was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

The Commission also issued a statement on both cases.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.