Fined: Rewards company swiped unencrypted student data

Powered by SC Magazine
 

Reports say credit card numbers were transmitted in clear text.

US student rewards company Upromise was fined by authorities after it was found guilty of mishandling sensitive data in violation of federal law.

Upromise, which adds small amounts of money to a savings account when users buy items from their partner merchants, asked users to download a "TurboSaver Toolbar" so they could locate merchants that provide rebates.

The company encouraged customers to enable the "Personalised Offers" component of the toolbar because, Upromise said, it would allow them to get more customised deals.

The problem though, according to the FTC, is that information Upromise collected in order to provide those deals was transmitted unencrypted.

This contradicted the company's commitment to encrypt confidential information in transit.

One researcher who studied the website and its information-collection practices said the toolbar had taken credit card numbers from encrypted sessions.

"In my testing, when a user checked an innocuously-labelled box promising "Personalised Offers," the Upromise Toolbar tracked and transmitted my every page-view, every search, and every click, along with many entries into web forms," Ben Edelman, an assistant professor at Harvard Business School, wrote in blog last year.

"Remarkably, these transmissions included full credit card numbers -- grabbed out of merchants' HTTPS (SSL) secure communications, yet transmitted by Upromise in plain text, readable by anyone using a network monitor or other recording system."

As a result of the settlement, Upromise must erase any data it previously collected through the Personalized Offers feature, provide clear disclosure policies and receive consent from consumers before they install any similar product.

In addition, the company must notify those users who had enabled the feature, and alert them of any data that was collected and instructions on how to remove the feature and toolbar.

Upromise spokeswoman Debby Hohler said the incident affected about one percent of the company's members and added she was not aware of resulting fraud.

"The protection of personal information is extremely important to us and we took immediate action to resolve the issue," she said. "We have fully cooperated with the FTC and have addressed their concerns."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Fined: Rewards company swiped unencrypted student data
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1803

Vote
Do you support the abolition of the Office of the Information Commissioner?