FTC settles with rewards company over security infractions

A company that helps students save for college may have made them richer, but also could have opened them up to fraud.

The company, Upromise, which is owned by Sallie Mae, failed to live up to its vow to keep customers secure, which violated federal law, the FTC said Thursday in a news release announcing a settlement.

Upromise, which adds small amounts of money to a savings account when users buy items from their partner merchants, asked users to download a "TurboSaver Toolbar" so they could locate merchants that provide rebates. The company encouraged customers to enable the "Personalized Offers" component of the toolbar because, Upromise said, it would allow them to get more customized deals.

The problem though, according to the FTC, is that information Upromise collected in order to provide those deals was transmitted unencrypted. This contradicted the company's commitment that in the off-chance it inadvertently collected a piece of personal information, it would protect users' data and identities by, among other things, encrypting confidential information in transit.

But that wasn't the case, said one researcher who studied the website and its information-collection practices.

"In my testing, when a user checked an innocuously-labeled box promising "Personalized Offers," the Upromise Toolbar tracked and transmitted my every page-view, every search, and every click, along with many entries into web forms," Ben Edelman, an assistant professor at Harvard Business School, wrote in a January 2010 blog post. "Remarkably, these transmissions included full credit card numbers -- grabbed out of merchants' HTTPS (SSL) secure communications, yet transmitted by Upromise in plain text, readable by anyone using a network monitor or other recording system."

As a result of the settlement, Upromise must erase any data it previously collected through the Personalized Offers feature, provide clear disclosure policies and receive consent from consumers before they install any similar product. In addition, the company must notify those users who had enabled the feature, and alert them of any data that was collected and instructions on how to remove the feature and toolbar.

Debby Hohler, a spokeswoman for Upromise, told SCMagazine.com that the incident only affected about one percent of the company's members and she is not aware of any resulting fraud.