News

NY AG settles mobile security case against Western Union, Priceline, Equifax, others

December 18, 2018

The New York State Attorney General's office has reached a settlement with Western Union, Equifax, Priceline, Spark Networks and Credit Sesame Inc. over their alleged failure to secure sensitive personal and financial data customers entered into their mobile apps, according to a press release.

The NY AG alleged that the five companies' mobile apps provided inadequate Transport Layer Security, which left them open to man-in-the-middle attacks when used over public Wi-Fi networks. Passwords and credit card, bank account and social security numbers were all subject to interception by techniques well-known to hackers, the press release said.

The AG said that mobile apps offered by the companies failed to properly authenticate SSL/TLS certificates, which left them vulnerable to an attacker impersonating the companies' servers.

All of the companies said they used protocols sufficient to protect customer information, however, regulators said the companies did not sufficiently test whether the mobile apps had these protocols, according to the release. The settlement requires that the companies take sufficient steps to secure their apps.

"Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises," AG Barbara Underwood said in the release. "My office is committed to holding businesses accountable and ensure they protect users' personal information from hackers."

The announcement is part of an effort by the AG's office to examine the security of various sites before consumers fall victim to cyber attacks and other breaches, the regulator said. The AG's office said it has tested dozens of apps and online sites as part of the effort.