FTC files lawsuit against D-Link alleging it put consumers’ privacy at risk due to inadequate security of its computer routers and cameras

The Federal Trade Commission filed a complaint against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

The FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:

 

“hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;

a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;

the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and

leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

 

Superfish agrees to pay $1 million to settle a class-action privacy lawsuit

superfish

The class action lawsuit was brought on behalf of consumers who purchased Lenovo notebooks in late 2014 and early 2015 and alleges that Lenovo bundled Superfish’s “VisualDiscovery” ad-serving software with notebooks which contained security flaws.

Superfish is a program that inserts ads into a variety of Web pages including secure HTTPS pages. To do so, Superfish tinkers with Windows’ cryptographic security, according to numerous reports. But breaking encryption also paves the way for hackers to intercept sensitive data, including passwords and online banking credentials.

Sitesearch Corp. and LeapLab LLC sued by FTC for selling personal information to internet market scammers

According to the complaint, LeapLab and Sitesearch Corp., a data broker operation sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts, the Federal Trade Commission charged in a complaint filed today.

According to the FTC’s complaint, data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

The defendants collected hundreds of thousands of payday loan applications from payday loan websites known as publishers. Publishers typically offer to help consumers obtain payday loans. To do so, they ask for consumers’ sensitive financial information to evaluate their loan applications and transfer funds to their bank accounts if the loan is approved. These applications, including those bought and sold by LeapLab, contained the consumer’s name, address, phone number, employer, Social Security number, and bank account number, including the bank routing number.

The defendants sold approximately five percent of these loan applications to online lenders, who paid them between $10 and $150 per lead. According to the FTC’s complaint however, the defendants sold the remaining 95 percent for approximately $0.50 each to third parties who were not online lenders and had no legitimate need for this financial information.

The FTC’s complaint alleges that these non-lender third parties included: marketers that made unsolicited sales offers to consumers via email, text message, or telephone call; data brokers that aggregated and then resold consumer information; and phony internet merchants like Ideal Financial Solutions. According to the FTC’s complaint, the defendants had reason to believe these marketers had no legitimate need for the sensitive information they were selling

Adobe Systems named in class action lawsuit over data breach relating to personal information of users

The lawsuit alleges that Adobe Systems failed to protect is users’ personal information including e-mail addresses, passwords, credit and debit card numbers, expiration dates, and mailing and billing addresses, in accordance with both industry security standards and their own security standards which have long been hailed by industry experts as being substandard. The complaint alleges that despite assuring its users that it will provide them with “reasonable administrative, technical, and physical security controls” in handling its users’ information, the security standards employed by Adobe have resulted in breaches of their networks and software. On or about October 3, 2013, Adobe made public its largest and most wide-reaching security breach heretofore. Adobe revealed that hackers had succeeded in gaining access to 3 million credit records, debit card records, and login data, for many of its users. Adobe later revealed that approximately 38 million of its users had been impacted by this security breach. Third-party analysis of a large file stolen from Adobe suggests that about 152 million accounts were affected. Said breach, which was caused by Adobe’s failure to employ adequate security standards with respect to the handling of its users’ information, has resulted in plaintiff and members of the Class having their information compromised and their finances placed in jeopardy. Class: All persons within the United States who had an account with Adobe whose personal information was compromised as a result of the data breach that occurred on or around September 2013. Complaint: adobe

Facebook named in class action lawsuit over privacy breaches

The class-action lawsuit alleges the social network scanned users’ private messages for links to third-party sites and then shared that information with advertisers, marketers and other data aggregators. It is brought on behalf of all US Facebook users.

The complaint alleges that Facebook systematically violated consumers’ privacy by reading its users’ personal private Facebook messages without their consent. As alleged, “Representing to users that the content of Facebook messages is ‘private’ creates an especially profitable opportunity for Facebook, because users who believe they are communicating on a service free from surveillance are likely to reveal facts about themselves that they would not reveal had they known the content was being monitored.”

Appriss named in class action for violating the Driver’s Privacy Protection Act

This is a Class Action Complaint brought pursuant to the Driver’s Privacy Protection Act (the “DPPA”), 18 U.S.C. 2721, et seq., against Appriss. Plaintiffs bring this civil action on behalf of themselves and all others similarly situated whose “personal information” is contained in any “motor vehicle record” (as defined in 18 U.S.C. 2725(1) and (3), respectively), which has been knowingly disclosed by Appriss to third parties without Plaintiffs’ “express consent” (as defined in 18 U.S.C. 2725(5)) for use by such third parties for purposes not enumerated in 18 U.S.C. 2721(b).

As alleged, Defendant Appriss offered for sale, and sold, motor vehicle accident reports to third parties who then used “personal information” contained in the reports to commercially solicit Plaintiffs and the other Class members.

Appriss bills itself as providing “technology solutions to help agencies keep communities safe and informed.” Its e-commerce site www.buycrash.com allows “parties involved in an accident to have the convenience option of buying their crash report online.”  What Appriss fails to disclose, however, is that not only does it sell the crash reports to “parties involved in an accident, but it also sells the crash reports to third parties, who then use the personal information contained in those crash reports to commercially solicit the accident victims.

Plaintiffs seek to represent a class consisting of: Each person, from August 8, 2009, through the date of judgment herein, whose “personal information” obtained from a “motor vehicle record” was knowingly disclosed by Appriss to a third party for commercial solicitation purposes or for any other purpose not permitted by 18 U.S.C. 2721(b)(1)-(14).

Appriss, or its affiliates, predecessors or entities with which it has merged (i.e. Holt, Sheets & Associates and/or Open Portal Solutions, Inc.) built the software used by law enforcement agencies in at least seven states (Indiana, Illinois, Kentucky, Florida, Georgia, Texas, and New Jersey)

YOUMAIL sued for violating the Telephone Consumer Protection Act

Defendant YOUMAIL  is a well-known provider of premium voicemail products and services. Defendant’s flagship product is a “visual voicemail” smart-phone application, which transcribes voicemail-audio to text so that users are able to read their voicemail messages. To promote its products and brand, Defendant made (or directed to be made on its behalf) unauthorized text message calls to the cellular telephones of consumers throughout the country—without prior consent—in violation of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).

Neither Plaintiff nor any other member of the putative Class has ever provided Defendant with their cellular telephone numbers, let alone provided it with consent to send them promotional text messages. Rather, YouMail intercepts and retains the cellular telephone numbers of each and every consumer that leaves a voicemail for any of its customers, and then makes unauthorized text message calls to such consumers containing advertisements and promotions for its products and services.

By making these unauthorized text message calls, Defendant has caused consumers actual harm, not only because consumers were subjected to the aggravation that necessarily accompanies the receipt of unauthorized text message calls, but also because consumers frequently have to pay their cell phone service providers for the receipt of such unauthorized text message calls.

On behalf of herself and the putative Class, Plaintiff seeks an injunction requiring Defendant to cease all unauthorized text message call activities alleged herein and an award of statutory damages to Plaintiff and the members of the putative Class

Netflix Settles class action lawsuit over retention practices of former customers

As part of the settlement, Netflix agreed to change its data retention practices so viewing histories of customers who haven’t subscribed to the service for at least a year will no longer be identifiable. Netflix notified customers of the policy shift in an email Monday.

The lawsuit alleges that the video streaming and DVD-by-mail service retained customers’ movie and TV show viewing data longer than permitted under the U.S. Video Privacy Protection Act and disclosed information on viewing histories to unnamed third parties.

In addition to changing its retention policies, the company also agreed to pay $9 million but the distribution will be made as cy pres to privacy advocacy groups.  No money will go to Netflix consumers.