Fandango, Credit Karma settle with FTC over security lapses

PORTLAND – The Federal Trade Commission says the mobile applications of movie ticket-seller Fandango and credit report-provider Credit Karma may have exposed millions of users’ sensitive personal information, including credit card data and Social Security numbers.

The companies failed to properly secure their apps over a multiyear period, potentially exposing information users sent or received, according to the FTC.

Fandango and Credit Karma fixed the security issue last year.

The companies said Friday that they are not aware of any individual’s information being compromised. But the FTC said that due to the nature of the types of attacks, it would be nearly impossible to trace.

Fandango, owned by Comcast Corp., and Credit Karma agreed to settle FTC’s charges that they misrepresented the security of their applications and failed to secure information.

As part of the settlements, the companies agreed to establish more comprehensive security programs and undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.

The FTC said Fandango and Credit Karma disabled a critical process, known as SSL certificate validation, which would have verified that communications were secure. Because of that, the applications were vulnerable to “man-in-the-middle” attacks, which allow attackers to intercept information.

“This is something that would be undetectable to either the consumer or the company,” said Nithan Sannappa of the FTC’s Bureau of Consumer Protection.