ClixSense pays its users to view advertisements, perform online tasks, and complete online surveys. The company collects personal information from users, such as their full names, dates of birth, email and postal addresses, usernames, passwords, and answers to security questions, as well as Social Security numbers for those who make more than $600 a month.
In its complaint against ClixSense, the FTC alleges that the website’s operator, James V. Grago, Jr., deceived consumers by falsely claiming that ClixSense “utilizes the latest security and encryption techniques to ensure the security of your account information.” In fact, ClixSense failed to implement minimal data security measures and stored personal information in clear text with no encryption. The complaint also alleges that ClixSense failed to implement readily available measures to limit access between computers on ClixSense’s network; failed to change default login and password credentials for third-party company network resources; and maintained consumers’ personal information, including consumers’ names, dates of birth, answers to security questions, login and password credentials, and Social Security numbers, in clear text.
The FTC alleges that ClixSense’s failures allowed hackers to gain access to the company’s network through a browser extension that ClixSense downloaded. The complaint notes that ClixSense was put on notice that the company’s network was compromised based on clues left by the hackers. For example, hackers accessed documents, email accounts, and credentials stored on employee laptops; changed employees’ logins and passwords; redirected email notifications for multiple network accounts, including ClixSense’s cloud and Domain Name System (DNS) host services; and redirected visitors to the ClixSense website to an unaffiliated adult-themed website.
As a result of ClixSense’s data security failures, the hackers downloaded a document from ClixSense that contained clear text information regarding 6.6 million consumers, including some 500,000 U.S. consumers. The hackers then published and offered for sale, on a website known for posting security exploits, personal information pertaining to approximately 2.7 million consumers, including full names and physical addresses, dates of birth, gender, answers to security questions, email addresses and passwords, as well as hundreds of Social Security numbers.
As part of the settlement, Grago is prohibited from misrepresenting the extent to which any company he controls protects the privacy, security, confidentiality, or integrity of personal information it collects. If any company he controls collects or maintains personal information, Grago must implement a comprehensive information security program and obtain independent biennial assessments of this program. In addition, Grago also is prohibited from making misrepresentations to the third party performing the biennial assessments of any information security program, and must provide an annual certification of compliance to the Commission.