FTC releases proposed settlement order in RockYou breach; $250k fine for breaching COPPA

The RockYou breach, disclosed in December 2009, stands as the 10th largest breach on DataLossDB’s counter after 32 million login credentials were compromised. A civil suit, Claridge v. RockYou, is still unsettled, although a proposed settlement was submitted to the court in November 2011. Previous coverage on this breach can be found here. Now the FTC has issued a statement on a proposed settlement of its charges against the firm: The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges. The case against RockYou is part of the FTC’s ongoing effort to make sure companies live up to the privacy promises they make to consumers, and that kids’ information isn’t collected or shared online without their parents’ consent. According to the FTC complaint, RockYou operated a website that allowed consumers to play games and use other applications. Many consumers used the site to assemble slide shows from their photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password. The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete. The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by: not spelling out its collection, use and disclosure policy for children’s information; not obtaining verifiable parental consent before collecting children’s personal information; and not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children. The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations. The FTC has a new publication, Living Life Online, to help tweens and teens navigate the internet safely. The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 4-0. The DOJ filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the Northern District of California on March 26, 2012. The proposed consent decree is subject to court approval. So… if it wasn’t for the children’s data, would the FTC have gone after RockYou or fined them? The passwords were stored plain-text, but the only reference to encryption in this release applies to children’s data, not the adults’. Update:  I see that in his coverage of the proposed order, Jaikumar Vijayan reports that the civil suit against RockYou settled in December. If he’s referring to Claridge v. RockYou, the motion for settlement is due to be heard tomorrow (March 28).

RockYou Proposed Settlement Would Leave Decision Standing

Remember the RockYou breach that was disclosed in December 2009?  It still ranks as one of the 10 biggest breaches of all time in terms of number of records involved – 32 million users’ login credentials were involved.  A lawsuit over the breach created a buzz last year when it did not get dismissed out of hand for lack of standing or failure to demonstrate unreimbursed financial  harm. Now Craig Hoffman reports that there is a proposed settlement in the case: The parties in the Claridge v. RockYou case submitted a proposed settlement agreement to the court for approval on November 14, 2011.  This case, which was filed shortly after RockYou disclosed a breach that compromised 32 million log-in credentials, received national attention in the spring.  In April 2011, the California federal district court declined to dismiss the plaintiff’s breach of contract and negligence claims by finding that: “at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII.”  Notwithstanding the court’s skepticism concerning the plaintiff’s ultimate ability to prove any actual damages, the court’s recognition of a property right in personal information sufficient to meet the Article III standing requirement was immediately advanced by plaintiffs in other similar cases.  Indeed, the RockYou decision and the recent First Circuit decision in Hannaford stand out from the seemingly constant stream of decisions dismissing putative class actions filed against companies who disclose data breaches. The terms of the proposed settlement will undoubtedly raise some eyebrows because the plaintiff only gets $2,000 while the attorney gets $290,000. But the settlement would prevent a possible loss if the case goes forward and would allow the earlier ruling to stand, which might be of help to others in future cases.  You can read more on Data Privacy Monitor.

RockYou Sued for Failing to Protect the Personal Data of its 32 Million Customers

From the press release: An Indiana man filed a class action lawsuit Monday against RockYou, the developer of popular online applications and services for use with social networking sites such as Facebook and MySpace, after RockYou failed to safeguard the highly sensitive personal information of him and 32 million others. The lawsuit alleges that RockYou maintained its customers’ email account and password information, as well as the login credentials for social networking sites, in an unencrypted and unsecured database.  As a result, according to the lawsuit, hackers were able to harvest all of this information by utilizing a well-known and easy-to-prevent exploit. The lawsuit is brought by Alan Claridge, Jr., of the Evansville, Ind., area.  According to the suit, only after the media began reporting about the data breach did RockYou notify Mr. Claridge and others of the data breach. “This alleged data breach was by no means unforeseeable.  The means of attack has been well-documented for some time, as has been the means to prevent it,” explained Michael Aschenbrener, the lead attorney for the class action.  “RockYou allegedly did nothing to prevent the attack or safeguard its customers’ sensitive personal information.  How any company in possession of this much data could do nothing to secure it not only violates the law, but also basic common sense.” The class action seeks injunctive relief and monetary damages for failing to protect RockYou user data. On its site, RockYou had posted the following about the breach: As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches. Importantly, RockYou does not collect user financial information associated with RockYou.com widgets. In addition, user information for users of RockYou applications on partner sites, including Facebook, MySpace, Hi5, Friendster, Bebo, Orkut, Mixi, Cyworld, etc., were not implicated by the breach. The platform breach also did not impact any advertiser or publisher information, which we maintain on a separate and secure system that is not a legacy platform. Lastly, the security breach did not affect our advertising platform or our social network applications. However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services. Changing passwords may prevent anyone from gaining unauthorized access to our users’ other online accounts. We are separately communicating with our users so that they take this step and are informed of the facts. It’s hard to imagine the lawsuit prevailing. If anything, some regulatory agency might want to look at whether RockYou misled customers over its security and privacy protections, but I really don’t see how RockYou users are likely to get anywhere with this lawsuit in light of the bulk of court opinions about the need to demonstrate actual harm. Does any reader think this lawsuit has a snowball’s chance?

(update) RockYou admits security snafu exposed email login details

John Leyden reports: Social media application developer RockYou has vowed to improve its security and apply encryption following a breach that exposed 32 million user login credentials to hackers. Sensitive login credentials – stored in plain text – were left open to attack as a result of an SQL injection vulnerability in RockYou’s website. In a statement, RockYou said the exposed password credentials applied to widgets it develops and potentially exposed user password and email addresses. The developer said user credentials about RockYou applications on partner sites – including Facebook, MySpace, and Orkut – was not exposed by the admitted breach. Read more on The Register.

Namecheap says accounts compromised in hacking incident

Jeremy Kirk reports: Hosting provider Namecheap said Monday hackers compromised some of its users’ accounts, likely using a recently disclosed list of 1.2 billion usernames and passwords compiled by Russian hackers. The “vast majority” of login attempts have failed, wrote Matt Russell, vice president of hosting, on a company blog. Read more on CSOonline. “Likely” used? Interestingly, one of the reports on the celeb nude pics hack mentioned hackers possibly using passwords obtained from another hack – the RockYou one. It’s not clear whether either of these claims are actually accurate, but it’s a good reminder of the importance of not reusing passwords across sites and of changing all your passwords.

Loss of Personal Information in Security Breach Results in Loss of Some “Unidentified Value”

Craig Hoffman discusses a ruling in a lawsuit against RockYou over a security breach that is noteworthy for the plaintiff’s somewhat novel approach to demonstrating injury due to the breach: A December 2009 SQL injection attack against social network application maker RockYou.com’s database resulted in the breach of 32 million log-in credentials ( e-mail address and password). Not only did RockYou.com store the log-in credentials of its users in plain text, it also stored those user’s log-in credentials for social networking sites like Facebook and MySpace in plain text as well. […] In its April 18, 2011, decision, as an initial matter, the court found that the plaintiff had standing to file the suit (by alleging an injury in fact) in the form of the loss of value of PII. The basis for refusing to find that the plaintiff lacked standing was the “paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory” as well as the court’s determination that “the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.” The court did indicate that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.” […] The court’s decision also provides a practical consideration when drafting limitation of liability clauses for website privacy policies. RockYou.com’s privacy policy provided that: “RockYou! . . . assumes no liability or responsibility for . . . (III) any unauthorized access to or use of our secure servers and/or any and all personal information and/or financial information stored therein . . .” RockYou.com argued that this provision barred the plaintiff’s breach of contract claims. The court, however, found that the policy language did not automatically preclude the claim because the plaintiff alleged that the servers were not secure. Read more on Data Privacy Monitor. So the plaintiff lives to fight another round, although the court’s doubts suggest that this case ultimately will not prevail. It does serve as a useful reminder to companies, however, that liability disclaimers may only protect you if your servers actually are as secure as you have assured users they are.

Researcher Creates Clearinghouse Of 14 Million Hacked Passwords

Andy Greenberg reports: Canadian researcher Ron Bowes has created a sort of Wall of Sheep for the entire Internet. By simply collecting all the publicly-spilled repositories of users’ passwords from recent hacking incidents, he’s created a clearinghouse for stolen passwords on his Web site–14,488,929 distinct passwords to be exact, collected from 32,943,045 users. Bowes didn’t steal these passwords, and they’re not associated with usernames, an extra piece of data that would make listing them far more dangerous. All but 250,000 or so became public after the breach of RockYou.com, a social networking applications site penetrated by cybercriminals using an SQL-injection. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site’s plugins. 37,000 more were stolen from MySpace using phishing techniques. Read more on Forbes.

Top 10 Worst Data Losses or Breaches, updated

It’s been a while since I last revised my list of the largest breaches or data loss incidents worldwide, and the end of the year seems like a good time to look back at what may have been the worst incidents ever in terms of numbers. Remember when the stolen V.A. laptop made headlines in May 2006 as the biggest breach ever?   Now they’re down at #7 on my list. Rank # of Records or People Entity Date of Incident or Report Type of Incident 1 130,000,000 Heartland Payment Systems 2009-01-20 Hack, Malware 2 94,000,000 TJX, Inc. 2007-01-17 Hack, Malware 3 90,000,0001 TRW/Sears Roebuck 1984-06-22 Hack 4 70,000,0002 National Archives and Records Administration 2009-10-01 Disposal 5 40,000,000 CardSystems Solutions 2005-06-17 Hack 6 30,000,0003 Deutsche Telekom 2008-11-01 Exposure 7 26,500,000 U.S. Department of Veterans Affairs 2006-05-22 Stolen Laptop 8 25,000,000 HM Revenue and Customs / TNT 2007-10-18 Lost Tapes 9 18,000,0004 Auction.co.kr 2008-02-17 Hack 9 18,000,0005 National Personnel Records Center 1973-07-12 Fire 10 17,000,000 Countrywide Financial 2008-08-01 Insider 10 17,000,000 T-Mobile 2008-10-06 Lost or Stolen Disk Notes: 1 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem. The number of records actually accessed is unknown. 2 NARA does not consider this a breach (.doc) 3 The number of records actually accessed is unknown. 4 Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources. 5 This incident, involving the loss of paper records in a fire, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits. I’m including it on my list because NPRC was warned about fire concerns during the building’s design and planning stages, but did not implement sufficient precautions to protect the data. Notice what incidents the list doesn’t include. It doesn’t include: A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases, The recent RockYou.com hack where a hacker gained access to login details including 32,603,388 passwords in plain text, and An AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes. Have I missed any really large data loss incidents or breaches involving personal information that should have made the Top 10 list, or did I include something that you think shouldn’t be included? If so, let me know. Image credit: “The Big Mistake” by williamhartz/Flickr, used under Creative Commons License.

Personal Data At Risk After SQL Flaw Discovered

Sophie Curtis reports: A SQL injection flaw on a social networking app developer site has compromised the security of users and could lead to identity theft A SQL injection flaw has been discovered in Rockyou.com – a social networking application development website used by app developers for Bebo, Facebook and Myspace. The flaw could have allowed hackers access to the 32 million usernames and passwords in the Rockyou.com database, according to data security firm Imperva. Read more on eWeek.