Upromise.com, a site popular with cash-strapped college students, just settled FTC claims it violated consumer protection laws by inadvertantly gleaning a host of personal and financial account information from users.The Sallie Mae-backed service works by hooking students up with rebates on purchases from hundreds of participating retailers, which they can choose to save or spend a number of ways, such as investing in a 529 savings plan or paying off student loans.
Like many other financial services companies, Upromise decided to rev up its offerings by launching a “TurboSaver Toolbar” that would track consumers’ searches on the web and highlight results from participating retailers.
All of that would have been well and good if it was all the service really did.
In claims filed two years ago, the FTC alleged Upromise failed to inform users of exactly how much information they were giving up.
The plug-in, which was powered by a third-party vendor, came with a “personalised offer” option that lifted a whole lot more than Google searches from their computers.
The toolbar allegedly collected and transmitted credit card and account numbers, expiration dates and security codes, user names and passwords for secure sites and social security numbers, according to the Bureau of Consumer Protection. (See why banks’ reliance on Social Security Numbers is putting you at risk for fraud.)
Users could have opted out, but in some cases the function was already pre-checked as the default setting. In the process, the site put many students at risk for identity theft.
If a student had logged into an on-campus coffee shop or library with an unsecured WiFi network, any hacker with a clue could have intercepted the data as it was lifted and transmitted via the TurboSaver toolbar. It’d all be pretty much downhill from there.
A Upromise spokesperson said Tuesday that the security issue, which was caused by a glitch in the toolbar vendor’s software, affected only 1 per cent of its users.
“The protection of personal information is extremely important to us and we took immediate action to resolve the issue,” the company said in a statement. “We have no evidence of any misuse of data. We have fully cooperated with the FTC and have addressed their concerns.”
To settle the FTC’s claims, Upromise has had to make a few promises of its own.
For one, it has to fully inform consumers about how its software and services function. It will also receive an independent security review every other year for the next 2 decades and have to establish an information security program.
It will also destroy all the data collected through the personalised offers feature on the toolbar and make clear how users can opt out of the service.
See the FTC’s full complaint here.