Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
US student rewards company Upromise was fined by authorities after it was found guilty of mishandling sensitive data in violation of federal law.
Upromise, which adds small amounts of money to a savings account when users buy items from their partner merchants, asked users to download a "TurboSaver Toolbar" so they could locate merchants that provide rebates.
The company encouraged customers to enable the "Personalised Offers" component of the toolbar because, Upromise said, it would allow them to get more customised deals.
The problem though, according to the FTC, is that information Upromise collected in order to provide those deals was transmitted unencrypted.
This contradicted the company's commitment to encrypt confidential information in transit.
One researcher who studied the website and its information-collection practices said the toolbar had taken credit card numbers from encrypted sessions.
"In my testing, when a user checked an innocuously-labelled box promising "Personalised Offers," the Upromise Toolbar tracked and transmitted my every page-view, every search, and every click, along with many entries into web forms," Ben Edelman, an assistant professor at Harvard Business School, wrote in blog last year.
"Remarkably, these transmissions included full credit card numbers -- grabbed out of merchants' HTTPS (SSL) secure communications, yet transmitted by Upromise in plain text, readable by anyone using a network monitor or other recording system."
As a result of the settlement, Upromise must erase any data it previously collected through the Personalized Offers feature, provide clear disclosure policies and receive consent from consumers before they install any similar product.
In addition, the company must notify those users who had enabled the feature, and alert them of any data that was collected and instructions on how to remove the feature and toolbar.
Upromise spokeswoman Debby Hohler said the incident affected about one percent of the company's members and added she was not aware of resulting fraud.
"The protection of personal information is extremely important to us and we took immediate action to resolve the issue," she said. "We have fully cooperated with the FTC and have addressed their concerns."
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.