FTC Fines RockYou $250,000 For Storing User Data In Plain Text

An anonymous reader writes "You probably don't remember the RockYou fiasco as it happened in late 2009. In case you don't, social game developer RockYou suffered a serious SQL injection flaw on its flagship website. Worse, the company was storing user details in plain text. As a result, tens of millions of login details, including those belonging to minors, were stolen and published online. Now, RockYou has finally settled with the Federal Trade Commission."

Plain text

[maroberts]

I suspect that whilst websites have user/password control, and whilst it is common to encrypt passwords in a database, most other database records are mostly in plain text

Seems silly

[girlintraining]

There are perfectly legitimate reasons to maintain user account information in the clear: Namely, that you can't one-way hash anything except the login credentials and have it remain useful. So storing something in plaintext, or not, is not something worth suing and fining someone over. That said, storing the passwords in the clear is almost always a bad idea; and in this day and age, everyone should be using password hashes, preferably with a salt as well, as rainbow tables are increasingly common and accessible as storage costs decrease.

So just want that out there: There are some limited cases where storing login credentials in the clear is a necessity. But that's no excuse for not sanitizing the data... SQL injection attacks are stupidly easy to prevent, and the web designer who wrote the code that allowed it should probably be censured. If you're going to fine a company -- fine them for the injection attack... but leaving data in plain text is not a problem per se.

Re:Layers of problems.

[girlintraining]

... and if they HAD known that they'd be slapped with a $250,000 fine for it they would have done it different.

I'm not convinced. A few years ago I came across a curious story about how companies dumping toxic waste into the ocean were filming themselves doing it and then attaching a check to the EPA for the fine without being contacted by the agency. As it turns out, the cost for disposing of the materials at sea was less than the cost of disposing of it properly even when the fine was assessed for every infraction -- by a considerable margin.

So from that I learned that while a fine might seem large to me ($250,000 is not pocket change to me!), in a business sense it could mean next to nothing, or even be preferable to 'doing it right'.

As well, the cost of that fine will not be borne by the people in charge of causing this train wreck: It will be the people who use the product. As long as there is no individual accountability, the system is fundamentally flawed -- those people can keep right on doing what they are doing, and the company will absorb and dissipate the responsibility and costs of doing so, often with impunity. Fines/punishments should only ever be levelled against the individuals responsible, which provides much greater assurances of competency and ethics than fining a company.

Sadly the fine is less than fixing it

[seifried]

$250,000 is basically one employee for one year (say 100k *2 for overhead/etc.) plus 50k in hardware/software. Properly securing this stuff is bound to cost more than the fines, so sadly I suspect many businesses simply do the math and decide to eat the fine.

I think Fight Club summed it up nicely:

Narrator: A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Woman on plane: Are there a lot of these kinds of accidents?
Narrator: You wouldn't believe.
Woman on plane: Which car company do you work for?
Narrator: A major one.