Network News

X My Profile
View More Activity

Punishing Sloppy Security

The Federal Trade Commission released information yesterday on a settlement it reached recently in a case involving a fairly large mortgage company that falsely claimed to be protecting the personal and financial details of its customers. Reading the details of the case, I'm starting to wonder just how pervasive these kinds of atrocious security practices really are.

The company was Tuckerton, N.J.-based Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites. The FTC sued Superior for violating federal safeguard rules on data privacy, alleging the company routinely transmitted customers' Social Security numbers, credit histories, credit card numbers and other sensitive information via unencrypted e-mail. 

From the FTC news release (my links and emphasis added):

"....despite Superior's claims that sensitive personal information collected at its www.supmort.com Web site was encrypted using secure socket layer technology, the information was only encrypted while it was being transmitted between a visitor's web browser and the Web site's server. Once the information was received at the Web site, it was decrypted and e-mailed to Superior's headquarters and branch offices in clear, readable text. The agency alleged that these claims were deceptive and violated the FTC Act."

Under the terms of the settlement, the company has to stop making claims that it is protecting its customers' privacy, and it has to hire a third-party auditor to check on and certify its security procedures every two years for the next decade.

In my opinion, given how much sloppy security like this contributes to identity theft and identity fraud (the fastest-growing forms of white-collar crime in the nation, according to the FTC), companies such as Superior should face fines and criminal charges when they fail to protect the information they have sworn to safeguard. Granted, the FTC can only bring civil charges, but I hope consumers will vote with their wallet (and their identity) and not reward this kind of behavior.

By Brian Krebs  |  September 29, 2005; 10:20 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Government Effort to Boost Security Savvy
Next: Microsoft Issues Security Pack for Office 2003

Comments

Brian, I don't think that more than 2/3s of companies are this sloppy.

But how are customers to tell what happens behind the scenes? I'd love to vote with my wallet, but who should I vote for? The candidate who tells me they use industry-standard security measures, or the one who tells me that they care deeply about my privacy?

Posted by: Adam S | September 29, 2005 10:26 AM | Report abuse

I think all consumer companies that collect any sort of sensitive information, (including SSNs, addresses, bank info) should be "encouraged" to have a Good Housekeeping Seal of Approval for Info Security. Essentially a third-party audit of security policies, procedures and practices.

The government shouldn't require this, but it can do alot to see that the industry gets something like this started. And then hopefully competitive market pressures will take over.

Posted by: Michael | September 29, 2005 1:48 PM | Report abuse

I'd say the serious penalty would be forcing such companies to pay for customers to switch to a different provider. Especially with mortgages, this would be very costly for a person to do themselves.

Posted by: Switch providers? | September 29, 2005 3:21 PM | Report abuse

As mentioned by Adam S, the scariest part of scenarios like this is that consumers can't know what is being done their information. Even users who feel they are being careful by checking for an https or lock graphic before submitting information (which is insufficient to begin with since they only indicate that the site is capable of encryption, not necessarily that it has been properly implemented), there is no way of knowing what happens after the info reaches the web server.

How to fix this? It's a complex issue. Oversight and accreditation are expensive and time-consuming. Penalties are time-consuming. It comes down to the paradox of the Internet: We love the technology because it enables information sharing, but that aspect is why information in currently deployed technologies is difficult to protect. This will be a mess until the technologies have been revolutionized.

Posted by: Kim Z | September 30, 2005 2:20 PM | Report abuse

If you promise to do something and you reneg, you should be punished.

What this mortgage company did is dispicable. There is no excuse.

Posted by: als | October 4, 2005 8:56 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company