Fandango and Credit Karma agreed today to settle complaints by the Federal Trade Commission that they failed to properly secure data that consumers imputed on their mobile apps, leaving them at risk of being hacked.
The companies disabled a "critical default process" (called SSL certificate validation) that would have verified that the communications over the apps were secure, according to an
FTC press release.
By overriding this process, movie ticket provider Fandango compromised the security of purchases made through its Apple (
AAPL) iOS app by failing to secure consumers' credit card information as well as their email addresses and passwords. Credit Karma, which provides credit score information, exposed even more personal information of their customers including Social Security Numbers, names, dates of birth and home addresses along with credit report details such as account names.
"Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption," said FTC Chairwoman Edith Ramirez, in a press release. "Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps."
The settlements requires Fandango and Credit Karma to add new security measures and procedures during development of their applications, and to undergo independent security assessments every other year for the next 20 years.
In a statement, a spokesman for Credit Karma said, "Credit Karma is actively cooperating with the FTC and entered into this agreement to reinforce its commitment to data security. This issue was limited to mobile applications operating on unsecured networks only, and has since been addressed. There are no known individuals who were affected as a result."
Representative from Fandango were not immediately available for comment.