Skip to main content

With a corporate name like Lookout, it pays to — well — look out.  Unfortunately, according to the FTC’s complaint against Lookout Services, Inc., the company’s questionable security practices left the door open for an employee of one of Lookout’s customers to access sensitive information, including Social Security numbers, of thousands of people.

Lookout sells a web-based product called the I-9 Solution.  Taking its name from Immigration Services Form I-9 — familiar paperwork to most small businesses — the product is designed to help employers comply with their obligations under federal law.  The I-9 Solution collects and stores information from or about its customers’ employees, including names, addresses, dates of birth, Social Security numbers, passport numbers, alien registration numbers, driver’s license numbers, and military ID numbers.  Anticipating concerns about security, Lookout told prospective customers “Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access.  In addition, the company claimed, “Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools.”

Here’s where the “look out” part comes into play.  According to the FTC’s complaint, during a webinar about using the I-9 Solution, an employee of a Lookout business customer got the URL for a secure web page.  She later typed that URL into her browser and gained unauthorized access to a portion of the I-9 database.  By typing the precise URL into the browser, she bypassed Lookout’s login page and was never prompted to provide a valid user credential.  With minimal easy-to-guess changes to the URL, she gained access to the entire database.

Two months later, she went to the public-facing login web page for the I-9 Solution, where she tried several “likely suspect” user IDs and passwords, including the user ID “test” and the password “test.”  Because this was a valid credential for one of Lookout’s customers, entering “test” as the user ID and password gave her access to the personal information of the more than 11,000 people employed by that Lookout customer.  Then, by making minimal easy-to-guess changes to the URL, she was again able to access the entire database, which included the personal information of more than 37,000 people.

The FTC’s complaint lists a number of questionable practices, including that Lookout:

  • allowed easy-to-guess user IDs and passwords, including common dictionary words as the password and user ID — or even using the same word for both;
  • stored passwords in clear text;
  • failed to require periodic changes of user credentials and didn’t suspend user credentials after a certain number of unsuccessful login attempts;
  • didn’t adequately address the vulnerability of Lookout’s web app to widely-known security flaws, like predictable resource location, which allows users to easily predict patterns and manipulate the URL to access secure web pages;
  • allowed users to bypass authentication procedures when they typed in a specific URL; and
  • failed to employ sufficient measures to prevent and detect unauthorized access to computer networks.

As the FTC has always said, data security isn’t a “one size fits all” proposition, but put these lapses together and they spell “look out,” resulting in an FTC law enforcement action.  To settle the case, the company has agreed to implement a comprehensive information security program, including independent, third-party security audits every other year for 20 years.

On a related note, interested in a big picture perspective on the FTC and data security?  Read Bureau of Consumer Protection Director David Vladeck’s recent testimony before the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade.

________________

Offering sound advice is the stock in trade of marketing professionals, the attorneys who represent them — and Moms.  This Mother’s Day, the FTC says you can return the favor by giving Mom consumer tips customized to her interests.  Whether she’s tech-savvy, globe-trotting, or blinged out, share this online game in her honor — with love from ftc.gov.

Here’s another piece of advice:  Send flowers and candy, too.
 

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates

 
Return to top