Fandango, Credit Karma Settle FTC Claims Of Inadequate Data Security on Mobile Apps

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

March 28 — Movie ticket company Fandango LLC and consumer credit information company Credit Karma Inc. have agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile applications and failed to protect the transmission of the sensitive personal information of millions of consumers, the FTC announced March 28.

The FTC alleged that the two companies disabled an important default process called Secure Sockets Layer (SSL) certificate validation, which would have ensured that all app communications were secure, the FTC said in a statement.

“As a result, the companies' applications were vulnerable to ‘man-in-the-middle' attacks, which would allow an attacker to intercept any of the information the apps sent or received,” the FTC said.

“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” FTC Chairwoman Edith Ramirez said in the FTC's statement. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

Sensitive Data Potentially Exposed

Fandango failed to test its movie app for Apple Inc.'s iOS operating system to ensure that the app was validating SSL certificates and securing consumers' information, leaving their information vulnerable for almost four years, the FTC alleged in a draft administrative complaint. The company also didn't have “a clearly publicized and effective channel for receiving security vulnerability reports,” according to the complaint.

Similarly, Credit Karma failed to perform an adequate security review or test its iOS and Android apps prior to their launch, the FTC said in a draft administrative complaint. In addition, as a result of the company's failure to properly oversee the security practices of its service providers, the iOS app was storing authentication tokens and passcodes insecurely, the FTC claimed.

Overriding the default SSL certificate validation process exposed consumers personal information, such as their credit card details, e-mail addresses and passwords, Social Security numbers, names, dates of birth, home addresses, phone numbers, credit scores and other credit report details, the FTC said in the complaints.

Both companies have corrected the security vulnerabilities, the FTC said.

Violations of FTC Act?

Both Fandango and Credit Karma had made representations that they would secure consumers' information, the commission alleged.

The FTC alleged that the two companies' practices were unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45. The commission's use of the unfairness prong in data security enforcement actions is being challenged in federal court.

Under the proposed consent orders, Fandango and Credit Karma have agreed to:

  • not misrepresent the privacy or security of consumers' information;
  • establish and implement comprehensive security programs; and
  • obtain initial and biennial security assessments and reports from an independent third party.

    The FTC is accepting comments on the proposed agreements through April 28. The FTC released analyses of the Fandango and Credit Karma consent orders to aid public comment.

    DLA Piper LLP represented Fandango. Morrison & Foerster LLP represented Credit Karma. FTC counsel represented the commission.

    The proposed Fandango consent order is available at

    The proposed Credit Karma consent order is available at

    Additional information on the cases is available at and

    Request Bloomberg Law Privacy and Data Security