RockYou settles FTC charges related to 2009 breach
Online gaming firm will pay $250,000, submit to independent audits for 20 years after exposing data on 30 million users
Computerworld - RockYou will submit to third-party security audits for the next 20 years as part of a settlement of charges filed by the U.S. Federal Trade Commission in connection with a Dec. 2009 data breach that exposed email addresses and passwords of more than 30 million people.
As part of the settlement announced Tuesday, the online social gaming company will also pay a $250,000 civil penalty to settle charges that it violated the Children's Online Privacy Protection Act (COPPA) by knowingly collecting email information from about 180,000 underage children without first getting parental consent.
The proposed settlement also requires RockYou to maintain a formal data security program and prohibits it from making 'deceptive claims' about its privacy and security practices.
In a statement, RockYou CEO Lisa Marino called the settlement a "fair" one.
"We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout," she said. "The events that led to this complaint occurred over two years ago and we have long since removed the features that led to this investigation. The focus of our business has evolved - we no longer operate applications such as those included in the complaint."
The case against RockYou is part of a broad effort by the FTC to ensure that companies live up to their security promises, the agency said in a statement.
To date, the FTC has brought legal action against about 36 organizations for failing to protect consumer data despite each company's claims of having measures in place to protect personal data.
RockYou, a Redwood City, Calif. developer of popular social media games like Gourmet Ranch and Zoo World, disclosed in Dec. 2009 that a user database had been compromised, exposing personal identification data of some 30 million registered users.
The breach was considered to be particularly egregious by some because the password data had been stored in plain text instead of being hashed, as is common practice.
The breach happened shortly after database security vendor Imperva warned RockYou about a serious SQL injection error in a page on its site.
Despite that warning, RockYou failed to immediately address the issue, Imperva claimed at that time. Less than two days after the warning, a hacker broke into RockYou's subscriber database, and accessed the 32,603,388 email addresses and plain text passwords stored in it.
A lawsuit filed against RockYou by a consumer in connection with the case was settled last December.
The settlement with the FTC comes a few days after Verizon released a report showing that a vast majority of data breaches are avoidable and stem from causes that require relatively little effort to mitigate.
According to Verizon more than 95% of the breaches it investigated in 2011 stemmed from fundamental security mistake such as using default configurations and passwords and failing to detect SQL injection errors such a the one that resulted in the RockYou breach.
Rob Rachwald, director of security strategy at Imperva, said that it is somewhat odd that that RockYou was fined for violating COPAA requirements but not for a breach that let hackers access more than 30 million passwords.
Rachwald contends that hackers are still using passwords from the RockYou breach to break into email accounts. "If you go to any dark market, the RockYou list is the gold standard for breached password lists," Rachwald said.
SQL injection vulnerabilities of the sort that caused the RockYou breach are also very common Rachwald said.
Many hackers use vulnerability scanning tools to probe websites for SQL injection flaws that they then exploit using automated SQL injection tools such as Havij, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts