The Federal Trade Commission (FTC) is now said to be taking action against Illusory Systems Inc. for allegedly failing to implement “adequate data security measures, leading to a major security breach in which hackers stole $186 million from consumers.” Under a proposed order settling the FTC’s allegations, Utah-based Illusory, which does business as Nomad, will be required “to implement an information security program to address alleged security failures and to return recovered money to affected consumers.”
Christopher Mufarrige, the Director of the FTC’s Bureau of Consumer Protection said that the FTC Act requires “companies to take reasonable security measures.”
They added that it is “important that companies live up to their security promises to consumers/”
In its complaint, the FTC alleged that Nomad prominently touted its security in its advertising, claiming that it offered “security-first” services.
The FTC, however, alleged that the company “failed to live up to these promises by failing to: use secure coding practices; implement processes for receiving and addressing vulnerability reports and responding to security incidents; and utilize widely known technologies that might have helped mitigate consumer losses.”
According to the complaint, in June 2022, Nomad introduced “inadequately tested code that included a significant vulnerability.”
Just over a month later, hackers began “exploiting the vulnerability.”
The FTC alleged that Nomad failed “to respond to the attack in time because of its inadequate security and incident response measures, which led to the loss of $186 million.” The company was able to recover “some money, but consumers lost approximately $100 million.”
Nomad was warned about the dangers of “inadequate testing as well as the need to ensure it had adequate staff and security in place.”
The company, however, failed to implement “basic safety measures that would mitigate consumer losses, the FTC alleged.”
Under the proposed order, Nomad will now be prohibited “from making misrepresentations about its security practices.”
In addition, the company will be required to:
- Implement a comprehensive information security program that is designed to protect consumers from theft or other unauthorized access and address the security issues outlined in the FTC’s complaint;
- Obtain biennial assessments of its information security program by an independent third party and cooperate with the third-party assessor; and
- Return to consumers money recovered following the security breach that was not already returned to customers.
The Commission voted 2-0 to accept the “proposed complaint and order for public comment.”
The FTC will release a description of the “consent agreement package in the Federal Register soon.”
The agreement will be subject to public comment “for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final.”
The Commission issues an administrative complaint when it has “reason to believe” that the law “has been or is being violated, and it appears to the Commission that a proceeding is in the public interest.”
When the Commission issues a “consent order on a final basis, it carries the force of law with respect to future actions.”
Each violation of such an order may result in “a civil penalty of up to $51,744.”
As noted in the update, the lead staff attorneys on this matter are M. Hasan Aijaz and Julia Horwitz with the FTC’s Bureau of Consumer Protection.