Feds: Fandango Customers Were Vulnerable to Hackers, Identity Theft

The movie-ticket company and a credit-monitoring service settle FTC charges.

Fandango puppets
National Journal
Brendan Sasso
March 28, 2014, 10:28 a.m.

If you bought movie tick­ets between 2009 and 2013 on Fan­dango’s mo­bile app, your cred­it-card in­form­a­tion may have been an easy tar­get for hack­ers.

Fan­dango settled a law­suit with the Fed­er­al Trade Com­mis­sion on Fri­day over charges that it failed to take ba­sic steps to pro­tect user data on its app for iPhones and iPads.

Cred­it Karma, a cred­it-check­ing ser­vice, settled sim­il­ar charges Fri­day with the FTC for fail­ing to pro­tect mo­bile-app data.

Neither com­pany is re­quired to pay any fin­an­cial pen­alty as part of the set­tle­ments, al­though both Fan­dango and Cred­it Karma are re­quired to es­tab­lish “com­pre­hens­ive se­cur­ity pro­grams” and to un­der­go in­de­pend­ent se­cur­ity as­sess­ments every oth­er year for the next 20 years.

Ac­cord­ing to the law­suits, the com­pan­ies dis­abled a de­fault en­cryp­tion pro­cess, known as SSL cer­ti­fic­a­tion. As a res­ult, hack­ers could have eas­ily in­ter­cep­ted private in­form­a­tion, es­pe­cially on pub­lic Wi-Fi net­works of­ten found in cof­fee shops, shop­ping cen­ters, or air­ports, the FTC said.

Des­pite the vul­ner­ab­il­ity, Fan­dango as­sured cus­tom­ers that their cred­it card in­form­a­tion was safe as they checked out. Cred­it Karma claimed it was us­ing “in­dustry-lead­ing se­cur­ity pre­cau­tions.”

In a state­ment Fri­day, Fan­dango said it up­graded its se­cur­ity in March 2013 and that it is not aware of any cus­tom­ers who had their in­form­a­tion stolen.

“Se­cur­ity is among Fan­dango’s top pri­or­it­ies, and we are fully com­mit­ted to pro­tect­ing our cus­tom­ers’ per­son­al in­form­a­tion,” the com­pany said. “We have re­viewed and heightened our se­cur­ity pro­gram to pro­tect our cus­tom­ers’ per­son­al in­form­a­tion, across all of Fan­dango’s products and plat­forms, and we test reg­u­larly for data se­cur­ity.”

A Cred­it Karma spokes­man said the com­pany has ad­dressed the se­cur­ity is­sue and is not aware of any lost data.

FTC Chair­wo­man Edith Ramirez noted that con­sumers are in­creas­ingly re­ly­ing on mo­bile apps to make pur­chases and handle sens­it­ive fin­an­cial in­form­a­tion.

“Our cases against Fan­dango and Cred­it Karma should re­mind app de­velopers of the need to make data se­cur­ity cent­ral to how they design their apps,” she said.

Sen­ate Com­merce Com­mit­tee Chair­man Jay Rock­e­feller, Sen­ate Ju­di­ciary Com­mit­tee Chair­man Patrick Leahy, and oth­er law­makers are push­ing bills that would al­low the FTC to fine com­pan­ies for in­ad­equate data-se­cur­ity prac­tices.

The FTC is cur­rently in­vest­ig­at­ing Tar­get over last year’s massive hack of cred­it-card in­form­a­tion.

What We're Following See More »
STAFF PICKS
After Wikileaks Hack, DNC Staffers Stared Using ‘Snowden-Approved’ App
7 hours ago
WHY WE CARE

The Signal app is fast becoming the new favorite among those who are obsessed with the security and untraceabilty of their messaging. Just ask the Democratic National Committee. Or Edward Snowden. As Vanity Fair reports, before news ever broke that the DNC's servers had been hacked, word went out among the organization that the word "Trump" should never be used in their emails, lest it attract hackers' attention. Not long after, all Trump-related messages, especially disparaging ones, would need to be encrypted via the Snowden-approved Signal.

Source:
WARRING FACTIONS?
Freedom Caucus Members May Bolt the RSC
9 hours ago
WHY WE CARE

The Republican Study Committee may lose several members of the House Freedom Caucus next year, "potentially creating a split between two influential groups of House conservatives." The Freedom Caucus was founded at the inception of the current Congress by members who felt that the conservative RSC had gotten too cozy with leadership, "and its roughly 40 members have long clashed with the RSC over what tactics to use when pushing for conservative legislation." As many as 20 members may not join the RSC for the new Congress next year.

Source:
SOME THERAPIES ALREADY IN TRIALS
FDA Approves Emergency Zika Test
11 hours ago
THE LATEST

"The U.S. Food and Drug Administration on Monday issued emergency authorization for a Zika diagnostics test from Swiss drugmaker Roche, skirting normal approval channels as the regulator moves to fight the disease's spread." Meanwhile, the Wall Street Journal reports that a new study in Nature identifies "about a dozen substances" that could "suppress the pathogen's replication." Some of them are already in clinical trials.

Source:
MONEY HAS BEEN PAID BACK
Medicare Advantage Plans Overcharged Government
11 hours ago
THE DETAILS

According to 37 newly released audits, "some private Medicare plans overcharged the government for the majority of elderly patients they treated." A number of Medicare Advantage plans overstated "the severity of medical conditions like diabetes and depression." The money has since been paid back, though some plans are appealing the federal audits.

Source:
PROCEDURES NOT FOLLOWED
Trump Not on Ballot in Minnesota
4 days ago
THE LATEST
×