State AGs Deal With Payment Processor, Mobile Apps

Financial Services Law

In state enforcement news, Massachusetts Attorney General Maura Healey announced a settlement with a California-based payment services provider, while New York Attorney General Barbara Underwood reached a deal with five companies related to security vulnerabilities in their mobile apps.

The Massachusetts action, which involved allegations that the company exposed the personal information of state residents, resulted in a $155,000 civil penalty, while the companies involved in the New York actions avoided a penalty but agreed to improve their security practices after the attorney general (AG) said they failed to keep sensitive user information secure when it was transmitted online.

What happened

The Massachusetts action began when the payment services provider notified the Attorney General’s Office in 2015 that a data breach had occurred the prior year. An investigation by the AG revealed that while engineers for the payment services provider were modifying its website, they accidentally removed password protections from public-facing websites where users sign up for the company’s service.

The company stored the personal information of consumers, the AG said, including Social Security and bank account numbers as well as addresses and driver’s license numbers. The mistake meant that any Internet user could view the data until August 2015, when the vulnerability was fixed. The investigation found that some employees of the company were aware of the vulnerability as early as August 2014 but neglected to fix it.

An estimated 6,800 Massachusetts residents were impacted by the violation of state consumer protection and data security laws, Healey said.

Pursuant to an assurance of discontinuance with the AG, the payment services provider agreed to pay $155,000, comply with state laws, and implement policies to improve the security of its systems and protect consumer data online (such as having a chief information security officer, training employees on data security, and assessing and updating information security policies related to changes to its systems and to external vulnerabilities).

“This company broke the law by failing to take immediate action when consumers’ personal information was at risk,” Healey said in a statement about the action. “Through our settlement, [the payment services provider] will pay a penalty and take significant steps to safeguard the personal information of customers.”

In the New York actions, AG Barbara Underwood settled with five companies whose mobile apps failed to secure user information transmitted over the Internet.

To protect consumers using Wi-Fi networks to connect their mobile devices to the Internet, mobile web browsers and apps use a security protocol known as Transport Layer Security (TLS) to establish a secure, encrypted connection online, the AG explained. To establish the secure connection, the mobile device must verify the computer’s identity by authenticating a security certificate.

If an app fails to properly authenticate the identity, it becomes vulnerable to a “man-in-the-middle attack,” where a third party can intercept and view any information transmitted between the mobile device and the app. App developers can use freely available software to test their apps for this well-known vulnerability.

The five companies offered free mobile apps that required users to enter information including an email address and a credit card number. According to the AG, although the companies represented to users that they used reasonable security measures to protect consumer data, they failed to test their apps for this common and known vulnerability, and certain versions of their apps neglected to properly authenticate the security certificates.

“As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user,” according to Underwood. “With this information, an attacker could commit various forms of identity theft and fraud, including credit card fraud.”

The New York Office of the Attorney General uncovered the vulnerabilities found in the five apps after testing them as part of an initiative to find security problems before a data breach occurs. The settlement agreements require each of the companies to implement comprehensive security programs to protect user information from future potential attacks.

To read the Massachusetts AG’s press release, click here.

To read the New York AG’s press release, click here.

Why it matters

“Businesses that make security promises to their users—especially as it relates to personal information—have a duty to keep those promises,” AG Underwood said in a statement. “My office is committed to holding businesses accountable and [ensuring] they protect users’ personal information from hackers.” The actions by these two state AGs demonstrate the continuing efforts that states have been pursuing to stem data security and privacy violations.