Two debt sellers allegedly posted the people's personal information on unencrypted, publicly accessible spreadsheets that were post online.
Two debt sellers allegedly posted the people's personal information on unencrypted, publicly accessible spreadsheets that were post online.

Two debt sellers who exposed the personal information online of more than 70,000 people will have to notify consumers and explain how they can protect themselves against identity theft and other fraud, according to a Federal Trade Commission (FTC) press release.

The two defendants, Cornerstone and Company, LLC, and Bayview Solution, LLC, both posted bank account and credit card numbers, birth dates, contact information, employers' names, and information about the debts consumers supposedly owed on a publicly accessible website. Although the site was targeted toward debt collection industry workers, the information was available to any site visitor.

The defendants posted their portfolios, which contained the sensitive information, as Excel spreadsheets on the website without encryption, redaction or other protections. The portfolios were allegedly on sale to disclose past-due payday loan, credit card, and other purported debt. The FTC alleges that the portfolios were accessed more than 500 times.

Cornerstone and Company and Bayview allegedly violated the FTC Act by unfairly exposing consumers' personal information without their knowledge or consent.

The FTC wrote in its complaints that the defendants violated consumers' privacy, put them at risk of identity theft and exposed them to “phantom” debt collection, or a practice in which debt collectors attempt to get payments from consumers when they do not have the authority to do so. The personal data exposures also labeled the victims as debtors, which could put them at risk of other harms, including loss of employment or employment opportunities, the FTC said.

“Debt brokers and collectors who play fast and loose with people's sensitive personal and financial information are causing tremendous harm,” said Jessica Rich, director of the FTC's Bureau of Consumer Protection in a press release. “Companies must treat sensitive consumer information with appropriate care and security, and the FTC will take action when they fail to do so."