Fined: Rewards company swiped unencrypted student data

Powered by SC Magazine

Reports say credit card numbers were transmitted in clear text.

US student rewards company Upromise was fined by authorities after it was found guilty of mishandling sensitive data in violation of federal law.

Upromise, which adds small amounts of money to a savings account when users buy items from their partner merchants, asked users to download a "TurboSaver Toolbar" so they could locate merchants that provide rebates.

The company encouraged customers to enable the "Personalised Offers" component of the toolbar because, Upromise said, it would allow them to get more customised deals.

The problem though, according to the FTC, is that information Upromise collected in order to provide those deals was transmitted unencrypted.

This contradicted the company's commitment to encrypt confidential information in transit.

One researcher who studied the website and its information-collection practices said the toolbar had taken credit card numbers from encrypted sessions.

"In my testing, when a user checked an innocuously-labelled box promising "Personalised Offers," the Upromise Toolbar tracked and transmitted my every page-view, every search, and every click, along with many entries into web forms," Ben Edelman, an assistant professor at Harvard Business School, wrote in blog last year.

"Remarkably, these transmissions included full credit card numbers -- grabbed out of merchants' HTTPS (SSL) secure communications, yet transmitted by Upromise in plain text, readable by anyone using a network monitor or other recording system."

As a result of the settlement, Upromise must erase any data it previously collected through the Personalized Offers feature, provide clear disclosure policies and receive consent from consumers before they install any similar product.

In addition, the company must notify those users who had enabled the feature, and alert them of any data that was collected and instructions on how to remove the feature and toolbar.

Upromise spokeswoman Debby Hohler said the incident affected about one percent of the company's members and added she was not aware of resulting fraud.

"The protection of personal information is extremely important to us and we took immediate action to resolve the issue," she said. "We have fully cooperated with the FTC and have addressed their concerns."

This article originally appeared at

Copyright © SC Magazine, US edition

Fined: Rewards company swiped unencrypted student data
Top Stories
Content, cost & constant innovation: How Foxtel plans to take on Netflix
Nell Payne inhabits the “brave new world of blue strings and networking”. Just don't ask her to put a TV screen on your microwave.
Sending in the drones
Margins are getting tighter in the industrial services industry, so Transfield Services' Stephen Phillips looks offshore - and to the skies - for the solutions he needs to keep pace.
Westpac fires starting pistol on core banking upgrade
St George readies itself for move to Celeriti.
Sign up to receive iTnews email bulletins
Latest Comments
Should Optus make a bid for iiNet?

   |   View results