June was a big month in cyber crime for the FBI, but they are not the only enforcers looking out for your digital privacy and data protection.

June of 2012 saw some welcome successes in the struggle against those who abuse computers and networks for malicious or misguided ends. However, we were also reminded that defeating cyber crime requires not only detection and prosecution but also prevention. Let's begin with a selective recap, starting with the FBI announcement that a two-year undercover operation called “Operation Card Shop” had come to fruition.

Busting two dozen people in 13 countries for fraud involving computer crime was described by the Bureau as “the largest coordinated international law enforcement action in history directed at ‘carding' crimes—offenses in which the internet is used to traffic in and exploit the stolen credit card, bank account, and other personal identification information of hundreds of thousands of victims globally.”

The operation involved a fake website called CarderProfit.com created by the FBI and described as a “veritable eBay for thieves.” Criminals used the site to buy and sell stolen credit card information without knowing they were being watched. Federal officials say this elaborate sting prevented potential losses of more than $200 million.

Other FBI cyber crime-fighting successes in June include the arrest of a Pennsylvania man on charges of hacking into a variety of companies and government agencies and selling stolen access credentials. There were guilty pleas in one high profile case as two members of the LulzSec hacking collective, Ryan Cleary and Jake Davis, pled guilty to various cyber crimes in a UK court, and in another headline-grabbing case a serious recommended punishment was filed concerning a man from Jacksonville, Fla., who hacked into celebrity email accounts. Perhaps the fear of five years in jail and paying a six-figure restitution will help deter folks from invading other people's digital space.

In light of these news items it might seem strange to turn the spotlight on the Federal Trade Commission (FTC) as a force for good in the realm of information security. Indeed, many corporate executives might be more confused than concerned to get a message from reception saying, "There's someone from the FTC here to see you."  Compare that to the instant elevation of blood pressure produced by these words: "There's someone from the FBI here to see you." However, the FTC has been laying down the law pretty aggressively when it comes to corporate information security practices and postures.

On the same day that the FBI announced the rounding up of those credit card hackers, the FTC announced it was suing Wyndham Hotels for allegedly failing to secure the financial information of its guests. Wyndham operates 7,200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries—Wyndham Hotel Group, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management—are alleged to have “misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury.”

The suit is based on three different security breaches: the 2008 exposure of half a million credit card accounts belonging to Wyndham guests; the 2009 theft of another 50,000 card numbers; and a 2010 breach involving 69,000 accounts. Apparently Wyndham is not clear about how the FTC regards this type of security breach, telling SC Magazine that “the company has yet to learn of any fraud that resulted from the breaches.” In its complaint, the FTC alleges Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' information. If you've been following the FTC's privacy and security actions over the last decade you will know that losses suffered by consumers are not material to the charge that security practices are unfair and deceptive and violate the FTC Act. 

Ten years ago it was Microsoft that came under fire from the FTC which alleged false security and privacy promises pertaining to Microsoft's Passport Single Sign-In, Passport Wallet, and Kids Passport. The case was settled by Microsoft agreeing to implement and maintain a comprehensive information security program. In addition, Microsoft agreed to have its security program “certified as meeting or exceeding the standards in the consent order by an independent professional every two years.”