Update: ClixSense has been sold to a company called Prodege, and re-launched as Ysense.com on August 1, 2019.
ClixSense, an online rewards website, and i-Dressup.com, a dress-up games websites, have agreed to settle with the United States Federal Trade Commission that they failed to take reasonable steps to secure consumers’ data. They both allowed hackers to hack into their websites and get customer data. The two websites are not connected with each other.
According to the FTC, “In a complaint filed by the Department of Justice on behalf of the Commission, the FTC alleged that the operators of i-Dressup.com violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent before collecting personal information from children under 13 and failing to provide reasonable security for the data i-Dressup collected.”
ClixSense Violations
Separately, the FTC alleges that the owners of ClixSense’s inadequate website security “allowed hackers to gain access to consumers’ sensitive information through the company’s network.” The FTC went on to say that “in its complaint against ClixSense, the FTC alleges that the website’s operator, James V. Grago, Jr., deceived consumers by falsely claiming that ClixSense “utilizes the latest security and encryption techniques to ensure the security of your account information.” In fact, ClixSense failed to implement minimal data security measures and stored personal information in clear text with no encryption.”
The data breach is quite disturbing, and a lot of people were affected, according to the FTC:
“As a result of ClixSense’s data security failures, the hackers downloaded a document from ClixSense that contained clear text information regarding 6.6 million consumers, including some 500,000 U.S. consumers. The hackers then published and offered for sale, on a website known for posting security exploits, personal information pertaining to approximately 2.7 million consumers, including full names and physical addresses, dates of birth, gender, answers to security questions, email addresses and passwords, as well as hundreds of Social Security numbers.”
They went on to talk about the settlement with James V. Grago, Jr.: “As part of the settlement, Grago is prohibited from misrepresenting the extent to which any company he controls protects the privacy, security, confidentiality, or integrity of personal information it collects. If any company he controls collects or maintains personal information, Grago must implement a comprehensive information security program and obtain independent biennial assessments of this program. In addition, Grago also is prohibited from making misrepresentations to the third party performing the biennial assessments of any information security program, and must provide an annual certification of compliance to the Commission.”
i-Dressup.com Violations
The FTC alleges that Unixiz, Inc., doing business as i-Dressup.com, and “CEO Zhijun Liu and Secretary Xichen Zhang, violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 and provide reasonable and appropriate security for the data i-Dressup collected.”
The operators of i-Dressup apparently discovered the site was hacked in September 2016. The hacker had accessed their computer network and information about consumers, including children who used i-Dressup. The hacker accessed the information of approximately 2.1 million users—including approximately 245,000 users who indicated they were under 13.
“As part of the proposed settlement with the FTC, i-Dressup and its owners have agreed to pay $35,000 in civil penalties, and are prohibited from violating COPPA. In addition, they are barred from selling, sharing, or collecting any personal information until they implement a comprehensive data security program to protect the information and obtain independent biennial assessments of this program. They also are prohibited from making misrepresentations to the third party performing the assessments of the information security program, and must provide an annual certification of compliance to the Commission.”
I checked Google’s search results and it appears that the i-Dressup.com domain is not currently indexed in Google. It looks like the site is banned in Google’s search results. I have been unable to load the i-Dressup.com site, and the domain is currently under WHOIS privacy.
The ClixSense.com site is still indexed Google and it appears that they still continue to do business. They’re even bidding on their brand name currently in Google AdWords.