The New York Attorney General’s (AG) office has reached a settlement with five companies–Equifax, Western Union, Priceline, Spark Networks, and Credit Sesame–that it said weren’t doing enough to facilitate security of their customers’ data.
The state AG office said that in each case the companies had well-known vulnerabilities in their IT technology that left information like passwords, social security numbers and bank information vulnerable to interception by digital eavesdroppers.
As part of the settlement with the state, the companies will be required to implement stronger security programs. The settlement does not relate to any past data breaches that the companies may have reported.
While the firms all advertised security measures to protect user data, the companies didn’t test if their mobile apps had security vulnerabilities to so-called “man-in-the-middle” attacks, the AG said. In those exploits, an attacker can position between a mobile device and computer to intercept and view any information that the devices transmit to each other, even if the information has been encrypted. Users utilizing public WiFi are generally most susceptible to this form of intrusion.
According to the settlement, an attacker would have been able to easily impersonate the companies’ servers and take information from users in order to commit identity fraud.
The AG’s office said the settlement with the five companies came as the result of an effort to uncover security vulnerabilities before any information has been stolen.
“Businesses that make security promises to their users—especially as it relates to personal information—have a duty to keep those promises,” AG Barbara Underwood said in a statement.
Details of the security programs being required of the companies were not immediately made available.