Fined: Rewards company swiped unencrypted student data

US student rewards company Upromise was fined by authorities after it was found guilty of mishandling sensitive data in violation of federal law.

Upromise, which adds small amounts of money to a savings account when users buy items from their partner merchants, asked users to download a "TurboSaver Toolbar" so they could locate merchants that provide rebates.

The company encouraged customers to enable the "Personalised Offers" component of the toolbar because, Upromise said, it would allow them to get more customised deals.

The problem though, according to the FTC, is that information Upromise collected in order to provide those deals was transmitted unencrypted.

This contradicted the company's commitment to encrypt confidential information in transit.

One researcher who studied the website and its information-collection practices said the toolbar had taken credit card numbers from encrypted sessions.

"In my testing, when a user checked an innocuously-labelled box promising "Personalised Offers," the Upromise Toolbar tracked and transmitted my every page-view, every search, and every click, along with many entries into web forms," Ben Edelman, an assistant professor at Harvard Business School, wrote in blog last year.

"Remarkably, these transmissions included full credit card numbers -- grabbed out of merchants' HTTPS (SSL) secure communications, yet transmitted by Upromise in plain text, readable by anyone using a network monitor or other recording system."

As a result of the settlement, Upromise must erase any data it previously collected through the Personalized Offers feature, provide clear disclosure policies and receive consent from consumers before they install any similar product.

In addition, the company must notify those users who had enabled the feature, and alert them of any data that was collected and instructions on how to remove the feature and toolbar.

Upromise spokeswoman Debby Hohler said the incident affected about one percent of the company's members and added she was not aware of resulting fraud.

"The protection of personal information is extremely important to us and we took immediate action to resolve the issue," she said. "We have fully cooperated with the FTC and have addressed their concerns."

This article originally appeared at scmagazineus.com