Lookout sold a web-based computer product, the “I-9 Solution,” designed to help employers complete and maintain a U.S. Citizenship and Immigration Services Form I-9 about each employee. The I-9 Solution routinely collected and stored information from or about its customers’ employees, including, names; addresses; dates of birth; Social Security numbers; and driver’s license numbers. Lookout also made statements to its customers promising the security of the information collected from the website.
An employee of a Lookout customer gained access to the personal information of over 37,000 consumers by obtaining a URL for a secure web page during a webinar for the I-9 Solution. She typed that URL into her browser, bypassed the Lookout login page, and gained access to a portion of the I-9 database without having to provide a valid user credential. She gained access to the entire database by making easy-to-guess changes to the URL. Lookout did not employ an intrusion detection system or adequately monitor system logs, so it is unknown if other unauthorized persons were able to access personal information in the database.
The FTC filed a complaint against Lookout for failing to: (a) “implement reasonable policies and procedures for the security of sensitive consumer information collected and maintained;” (b) “establish or enforce rules sufficient to make user credentials hard to guess;” (c) “require periodic changes of user credentials;” (d) “suspend user credentials after a certain number of unsuccessful login attempts;” (e) “adequately assess and address the vulnerability of Lookout’s web application to widely-known security flaws;” (f) prevent users from bypassing the “authentication procedures on Lookout’s website when they typed in a specific URL;” (g) “employ sufficient measures to detect and prevent unauthorized access to computer networks;” and (h) prevent “an unnecessary risk to personal information by storing passwords used to access the I-9 database in clear text.”
Take Away: (1) monitor on and off-site access to confidential websites and webpages; (2) always require logins for websites and webpages containing confidential information; (3) limit dissemination of the location of confidential information to outside persons; (4) meet the standard you establish in your user documents and privacy policies.