12 companies that the FTC has gone after for lax security

The FTC targets companies that they say have not lived up to their security promises.

00 ftc settlement

On the attack

The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information. The courts have upheld the FTC's right to do so. Here are companies that have gotten in the FTC's cross-hairs with regard to less than adequate security practices.

Also read: FTC’s actions put CSOs on high alert

01 wyndham


The United States Court of Appeals for the Third Circuit rules in favor of the FTC against Wyndham Worldwide. The FTC sued Wyndham indicating that data security failures led to three data breaches in less than two years. 

02 fandango


According to the FTC, last year Fandango’s mobile apps left consumers’ sensitive personal information, including credit card information and Social Security numbers, vulnerable to interception by third parties.

03 credit karma

Credit Karma

Similar to the charges against Fandango, Credit Karma faced allegations last year. The settlements, first announced in March 2014, require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.

04 snapchat


Snapchat, the developer of a mobile messaging app, last year settled Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of messages sent through the service.

05 gmr transcription

GMR Transcription Services

GMR Transcription Services had to deal with FTC charges last year when it was said to have exposed personal information of thousands of consumers. The FTC alleged that GMR contractors transcribed audio files and downloaded the files from the company’s network, transcribed them, and then uploaded transcripts back to the network. GMR then made the transcripts available to customers either directly or by e-mail.

06 epn


The FTC charged EPN, a debt collector based in Provo, Utah, whose clients have included healthcare providers, commercial credit organizations and retailers, failed to implement reasonable security measures for personal information on its computers and networks.

07 cbr

Cbr Systems

In 2013, the operator of a leading cord blood bank, Cbr Systems, agreed to settle Federal Trade Commission charges that it failed to protect the security of customers’ personal information, and that its inadequate security practices contributed to a breach that exposed Social Security numbers and credit and debit card numbers of nearly 300,000 consumers, according to the FTC.

08 ceridian


The FTC claimed that Ceridian’s did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network. These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.

Lookout Services

Lookout Services

Back in 2011, the FTC charged Lookout with reckless security, despite the company’s claims that its system kept data reasonably secure from unauthorized access. For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser.

10 riteaid

Rite Aid

In 2010, the FTC investigated Rite Aid  when it heard that the pharmacy was using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications.

11 twitter


Twitter had a complaint lodged against it in 2010 when the Federal Trade Commission charged that the social networking service deceived consumers and put their privacy at risk by failing to safeguard their personal information,

12 daveandbusters

Dave & Buster’s

According to the FTC, in 2010 Dave & Buster’s collected credit card numbers and expiration dates from customers in order to obtain authorization for payment card purchases. The agency alleges the company failed to take reasonable steps to secure this sensitive personal information on its computer network.

Copyright © 2015 IDG Communications, Inc.