Customers who hired the infamous ID theft-protection firm Lifelock to monitor their identities after their data was stolen in a breach were in for a surprise. It turns out Lifelock failed to properly secure their data.
According to a complaint filed in court today by the Federal Trade Commission, Lifelock has failed to adhere to a 2010 order and settlement that required the company to establish and maintain a comprehensive security program to protect sensitive personal data users entrust to the company as part of its identity-theft protection service.
This is ironic, of course, because Lifelock promotes its services to companies that experience data breaches and urges them to offer a complimentary Lifelock subscription to people whose data has been compromised in a breach. To properly monitor victims’ credit accounts to protect them against ID theft, Lifelock requires a wealth of sensitive data, including names and addresses, birth dates, Social Security numbers, and bank card information.
Protecting that data should be a primary concern to Lifelock, particularly in light of the fact that many of its customers have already been victims of a breach. But the FTC found in 2010 that the company had failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network,” either in transit through its network, stored in a database, or transmitted over the internet.
Lifelock had been ordered to remedy that situation, but according to the complaint filed today, it has failed to do so. The complaint is currently sealed, but the previous finding from 2010 provides insight into the company’s security failures.
The CEO OF Lifelock, Todd Davis, became famous for advertising his Social Security number on television ads and billboards, offering a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the company’s services.
For an annual subscription fee, Lifelock promised customers that it would place fraud alerts on their credit accounts with the three credit reporting agencies. As a result, the company said, thieves would not be able to open unauthorized credit or bank accounts in their name.
“In truth, the protection they provided left such a large hole … that you could drive that truck through it,” FTC Chairman Jon Leibowitz said in 2010, referring to a Lifelock TV ad showing a truck painted with the CEO’s Social Security number driving around city streets.
Leibowitz said the promises were deceptive because thieves could still rack up unauthorized charges on existing accounts—the most common type of identity theft. It also couldn’t prevent thieves from obtaining a loan in a Lifelock customer’s name.
In fact, Lifelock CEO Davis was the victim of identity theft in 2007 when a thief used his widely advertised Social Security number to obtain a $500 loan in Davis’ name.
Lifelock also promised customers that sensitive data they provided the company to perform its protection services would be encrypted and protected in other ways on Lifelock’s servers and accessed only by authorized employees on a need-to-know basis.
“Your documents, while in our care, will be treated as if they were cash,” the company promised.
But it turned out that none of that data was encrypted. The company also had poor password management practices for employees and vendors who accessed the information, and Lifelock failed to limit access to sensitive data to only people who needed access.
What’s more, the company failed to apply critical security patches and updates to its network and “failed to employ sufficient measures” to detect and prevent unauthorized access to its network, “such as by installing antivirus or antispyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network,” the FTC found.
“As a result of these practices, an unauthorized person could obtain access to personal information stored on defendants’ corporate network, in transit through defendants’ corporate network or over the internet, or maintained in defendants’ offices,” the FTC said in 2010.
Lifelock’s stock price dropped 50 percent, from $16 to $8, following news of the FTC’s new complaint against the company.