The headline of this story might seem a bit confusing until you hear what the New York Attorney General just announced.
It is a cybersecurity settlement with Western Union, Priceline.com, Equifax, Spark Networks, and Credit Sesame regarding the security in their apps.
The apps were not the source of a data breach—that we know of—but they were instead failing at "reasonable cybersecurity."
This is according to tests the Attorney General's office ran proactively to find known security vulnerabilities before a data breach could occur.
“Businesses that make security promises to their users—especially as it relates to personal information—have a duty to keep those promises,” said Attorney Barbara D. General Underwood. “My office is committed to holding businesses accountable and ensure they protect users’ personal information from hackers.”
Known security vulnerability in Priceline, Equifax, and other apps
The Attorney General's office says all five apps suffered from a vulnerability that has been documented many times since 2014, which can lead to a man-in-the-middle (MITM) attack.
The apps failed to make secure authentication of the computers they were connecting to, which is a failure of Transport Layer Security (TLS). Here's the plain English of what this means for app users:
"The companies’ mobile apps suffered from a well-known security vulnerability that could have allowed sensitive information entered by users—such as passwords, social security numbers, credit card numbers, and bank account numbers—to be intercepted by eavesdroppers employing simple and well-publicized techniques.
Although each company represented to users that it used reasonable security measures to protect their information, the companies failed to sufficiently test whether their mobile apps had this vulnerability. Today’s settlements require each company to implement comprehensive security programs to protect user information."
[RELATED: How Do Courts and Counsel Define Reasonable Cybersecurity?]
