Fined: Rewards company swiped unencrypted student data

Powered by SC Magazine
 

Reports say credit card numbers were transmitted in clear text.

US student rewards company Upromise was fined by authorities after it was found guilty of mishandling sensitive data in violation of federal law.

Upromise, which adds small amounts of money to a savings account when users buy items from their partner merchants, asked users to download a "TurboSaver Toolbar" so they could locate merchants that provide rebates.

The company encouraged customers to enable the "Personalised Offers" component of the toolbar because, Upromise said, it would allow them to get more customised deals.

The problem though, according to the FTC, is that information Upromise collected in order to provide those deals was transmitted unencrypted.

This contradicted the company's commitment to encrypt confidential information in transit.

One researcher who studied the website and its information-collection practices said the toolbar had taken credit card numbers from encrypted sessions.

"In my testing, when a user checked an innocuously-labelled box promising "Personalised Offers," the Upromise Toolbar tracked and transmitted my every page-view, every search, and every click, along with many entries into web forms," Ben Edelman, an assistant professor at Harvard Business School, wrote in blog last year.

"Remarkably, these transmissions included full credit card numbers -- grabbed out of merchants' HTTPS (SSL) secure communications, yet transmitted by Upromise in plain text, readable by anyone using a network monitor or other recording system."

As a result of the settlement, Upromise must erase any data it previously collected through the Personalized Offers feature, provide clear disclosure policies and receive consent from consumers before they install any similar product.

In addition, the company must notify those users who had enabled the feature, and alert them of any data that was collected and instructions on how to remove the feature and toolbar.

Upromise spokeswoman Debby Hohler said the incident affected about one percent of the company's members and added she was not aware of resulting fraud.

"The protection of personal information is extremely important to us and we took immediate action to resolve the issue," she said. "We have fully cooperated with the FTC and have addressed their concerns."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Fined: Rewards company swiped unencrypted student data
 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Five emerging technologies that will transform financial services
[Blog post] Far out ideas that aren't far off.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  27%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  23%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 930

Vote