RockYou settles FTC charges related to 2009 breach
Online gaming firm will pay $250,000, submit to independent audits for 20 years after exposing data on 30 million users
Computerworld - RockYou will submit to third-party security audits for the next 20 years as part of a settlement of charges filed by the U.S. Federal Trade Commission in connection with a Dec. 2009 data breach that exposed email addresses and passwords of more than 30 million people.
As part of the settlement announced Tuesday, the online social gaming company will also pay a $250,000 civil penalty to settle charges that it violated the Children's Online Privacy Protection Act (COPPA) by knowingly collecting email information from about 180,000 underage children without first getting parental consent.
The proposed settlement also requires RockYou to maintain a formal data security program and prohibits it from making 'deceptive claims' about its privacy and security practices.
In a statement, RockYou CEO Lisa Marino called the settlement a "fair" one.
"We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout," she said. "The events that led to this complaint occurred over two years ago and we have long since removed the features that led to this investigation. The focus of our business has evolved - we no longer operate applications such as those included in the complaint."
The case against RockYou is part of a broad effort by the FTC to ensure that companies live up to their security promises, the agency said in a statement.
To date, the FTC has brought legal action against about 36 organizations for failing to protect consumer data despite each company's claims of having measures in place to protect personal data.
RockYou, a Redwood City, Calif. developer of popular social media games like Gourmet Ranch and Zoo World, disclosed in Dec. 2009 that a user database had been compromised, exposing personal identification data of some 30 million registered users.
The breach was considered to be particularly egregious by some because the password data had been stored in plain text instead of being hashed, as is common practice.
The breach happened shortly after database security vendor Imperva warned RockYou about a serious SQL injection error in a page on its site.
Despite that warning, RockYou failed to immediately address the issue, Imperva claimed at that time. Less than two days after the warning, a hacker broke into RockYou's subscriber database, and accessed the 32,603,388 email addresses and plain text passwords stored in it.
A lawsuit filed against RockYou by a consumer in connection with the case was settled last December.
The settlement with the FTC comes a few days after Verizon released a report showing that a vast majority of data breaches are avoidable and stem from causes that require relatively little effort to mitigate.
According to Verizon more than 95% of the breaches it investigated in 2011 stemmed from fundamental security mistake such as using default configurations and passwords and failing to detect SQL injection errors such a the one that resulted in the RockYou breach.
Rob Rachwald, director of security strategy at Imperva, said that it is somewhat odd that that RockYou was fined for violating COPAA requirements but not for a breach that let hackers access more than 30 million passwords.
Rachwald contends that hackers are still using passwords from the RockYou breach to break into email accounts. "If you go to any dark market, the RockYou list is the gold standard for breached password lists," Rachwald said.
SQL injection vulnerabilities of the sort that caused the RockYou breach are also very common Rachwald said.
Many hackers use vulnerability scanning tools to probe websites for SQL injection flaws that they then exploit using automated SQL injection tools such as Havij, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
Read more about Security in Computerworld's Security Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!