RockYou settles FTC charges related to 2009 breach
Online gaming firm will pay $250,000, submit to independent audits for 20 years after exposing data on 30 million users
Computerworld - RockYou will submit to third-party security audits for the next 20 years as part of a settlement of charges filed by the U.S. Federal Trade Commission in connection with a Dec. 2009 data breach that exposed email addresses and passwords of more than 30 million people.
As part of the settlement announced Tuesday, the online social gaming company will also pay a $250,000 civil penalty to settle charges that it violated the Children's Online Privacy Protection Act (COPPA) by knowingly collecting email information from about 180,000 underage children without first getting parental consent.
The proposed settlement also requires RockYou to maintain a formal data security program and prohibits it from making 'deceptive claims' about its privacy and security practices.
In a statement, RockYou CEO Lisa Marino called the settlement a "fair" one.
"We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout," she said. "The events that led to this complaint occurred over two years ago and we have long since removed the features that led to this investigation. The focus of our business has evolved - we no longer operate applications such as those included in the complaint."
The case against RockYou is part of a broad effort by the FTC to ensure that companies live up to their security promises, the agency said in a statement.
To date, the FTC has brought legal action against about 36 organizations for failing to protect consumer data despite each company's claims of having measures in place to protect personal data.
RockYou, a Redwood City, Calif. developer of popular social media games like Gourmet Ranch and Zoo World, disclosed in Dec. 2009 that a user database had been compromised, exposing personal identification data of some 30 million registered users.
The breach was considered to be particularly egregious by some because the password data had been stored in plain text instead of being hashed, as is common practice.
The breach happened shortly after database security vendor Imperva warned RockYou about a serious SQL injection error in a page on its site.
Despite that warning, RockYou failed to immediately address the issue, Imperva claimed at that time. Less than two days after the warning, a hacker broke into RockYou's subscriber database, and accessed the 32,603,388 email addresses and plain text passwords stored in it.
A lawsuit filed against RockYou by a consumer in connection with the case was settled last December.
The settlement with the FTC comes a few days after Verizon released a report showing that a vast majority of data breaches are avoidable and stem from causes that require relatively little effort to mitigate.
According to Verizon more than 95% of the breaches it investigated in 2011 stemmed from fundamental security mistake such as using default configurations and passwords and failing to detect SQL injection errors such a the one that resulted in the RockYou breach.
Rob Rachwald, director of security strategy at Imperva, said that it is somewhat odd that that RockYou was fined for violating COPAA requirements but not for a breach that let hackers access more than 30 million passwords.
Rachwald contends that hackers are still using passwords from the RockYou breach to break into email accounts. "If you go to any dark market, the RockYou list is the gold standard for breached password lists," Rachwald said.
SQL injection vulnerabilities of the sort that caused the RockYou breach are also very common Rachwald said.
Many hackers use vulnerability scanning tools to probe websites for SQL injection flaws that they then exploit using automated SQL injection tools such as Havij, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- US agencies to release cyberthreat info faster to healthcare industry
- UPS now the third company in a week to disclose data breach
- Healthcare organizations still too lax on security
- Why would Chinese hackers want US hospital patient data?
- About 4.5M face risk of ID theft after hospital network hacked
- Supervalu breach shows why move to smartcards is long overdue
- Grocery stores in multiple states hit by data breach
- Update: Payment cards with chips aren't perfect, so encrypt everything, experts say
- U.S. agencies halt background checks by contractor after cyberattack
- Five unanswered questions about massive Russian hacker database
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!