NYS AG settles with Western Union, Priceline, Equifax, others on mobile app security
Western Union, Equifax, Priceline, Spark Networks and Credit Sesame Inc. all reached settlements with the New York State Attorney General's office regarding what the regulator said was a failure to secure sensitive personal and financial data on their mobile apps, according to a release from the regulator.
The NY AG alleged that the five companies had mobile apps with inadequate Transport Layer Security [TLS], thus making them vulnerable to man-in-the-middle attacks when used over public Wi-Fi networks.
The vulnerability left user data such as credit card numbers, bank account numbers, social security numbers and passwords subject to being intercepted using fairly well known techniques by hackers, according to the AG's release.
The AG said that the mobile apps used by these companies failed to properly authenticate SSL/TLS certificates, which left them vulnerable to an attacker impersonating the companies' servers and intercepting sensitive data entered into the apps.
The companies all told the AG's office that they employed sufficient protocols to protect information, but regulators said they did not sufficiently test whether the mobile apps had these protocols, according to the release. The settlement requires that the companies take sufficient steps to secure these apps.
"Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises," AG Barbara Underwood said in the announcement. "My office is committed to holding businesses accountable and ensure they protect users' personal information from hackers."
The announcement is part of an effort by the AG's office to examine the security of various sites before consumers fall victim to cyber attacks and other breaches, the regulator said. The AG's office said it has tested dozens of apps and online sites as part of the effort.
"Equifax reached a settlement with the New York Attorney General's Office about this matter in May of 2017," Meredith Griffanti, a spokesperson for the company, said in an email. "The vulnerability mentioned was immediately remediated, and we have no evidence that consumer information was impacted as a result."
Priceline said it was notified in March 2016 from the AG's office about a potential vulnerability in its Android app and later fixed the problem, Devon Nagle, spokesperson for the company, said via email. Nagle said the flaw was due to a flaw in a third-party software library that overrode the code in certain versions of the app, but the company did not see any evidence that customer data was compromised, according to Nagle.
"Priceline cooperated fully to address this issue in 2016, and has continued to evolve our security capabilities," Nagle said in the email.
Officials at the remaining companies were not immediately available for comment.