The US Federal Trade Commission (FTC) has shut down a company that lured consumers into filling out applications for loans that it said would be issued from “trusted lending partners” at the “lowest interest rates” in a secure, safe manner.
The reality alleged by the FTC in its complaint (PDF): Blue Global Media LLC sold those applications – including consumers’ sensitive data – to “virtually anyone willing to pay for the leads,” be they actually loan sellers or who the hell knows what.
Nor did the company check that the buyers were securing the data. Ditto for its failure to follow up on consumers’ complaints that their personally identifiable information (PII) had been subsequently abused.
The FTC also imposed a judgment of $104.5m. That won’t be much of a consolation to the consumers who got snookered, though. Blue Media is bankrupt.
Between December 2012 and January 2017, the company, and its CEO, Christopher Kay, ran what the FTC says are at least 38 sites that solicited loan applications. The names of those domains would make you think that Blue Global had a cloud of fairies sprinkling cash on demand: they included 100dayloans.com, 1houradvance.com, 1hourdirect.com, 1hourlend.com, 1hourpersonalloan.com, 247loan.com, 24sevenloan.com, 3clickloan.com, littlepayday.com, magicinstallmentloans.com, money411.com, moneynowusa.com, moneytoday.com, and moomoocash.com, among others.
As the FTC tells it, Blue Global wasn’t actually a lender. Rather, it just collected loan applications, electronically transmitted the applications to other entities, and sold the rights to use the information as sales leads.
Consumers would very likely get a loan if they filled out an application, Blue Global insinuated. What’s more, whatever data they input into the application was always transmitted in a safe, secure manner, its marketing spiel would have you believe:
Start off by filling out our secure online loan application. After you’ve done that, an advanced search engine uses your information to find the highest loan with the lowest interest rates.
(sevenminuteloans.com/how it works)
NetLoanUSA is America’s LARGEST online personal loan network that connects you to financial loan lenders, nationwide for FREE! START NOW by completing our easy-to-use online application, and once you HIT SUBMIT, we will go to work for you immediately, searching banks, financial companies and cash advance lenders, to find YOUR highest qualified loan amount at the lowest interest rate possible, in UNDER 90 seconds!
(netloanusa.com/home)
In fact, the leads were sold “without regard to loan terms,” and regardless of whether the buyer was in fact a lender, the FTC claims. Chances were good that the organizations manhandling people’s PII were not loan sellers. The FTC claims that, at most, 2% of the application purchasers were actually loan providers. The defendants allegedly sold the applications, and consumers’ sensitive data, to “virtually anyone willing to pay for the leads,” the FTC says.
Nor did Blue Media or its CEO pay attention to how or whether buyers secured the data, the FTC claims. That, in spite of ads that promised fancy state-of-the-art security technologies such as SSL encryption and HTTPS:
Getting a loan online requires the utmost security, privacy and online protection. At RockstarLoan.com, we make all three our top priorities by using industry-leading security protocols and technology. Our SSL encryption services make sure that your personal information is always safe, always secure.
(rockstarloan.com/home)
Our protocols make certain that your personal information is completely protected 24/7 GUARANTEED!
(netloanusa.com/home)
The data the defendants talked consumers into submitting is prime stuff for identity thieves: it included names, addresses, email addresses, phone numbers, birthdates, taxpayer IDs, bank routing and account numbers, driver’s license and state identification numbers, whether and where the consumers were employed, the consumers’ incomes, whether the consumers were in the military, whether the consumers were home owners, whether the consumers had filed for bankruptcy, and the consumers’ approximate credit scores.
Blue Media also allegedly encouraged consumers to allow it to store all their data so that they could quickly create new loan applications. The applications were for a variety of loans: from payday loans in the amount of hundreds of dollars on up to auto loans or personal loans up to $35,000. Blue Media made $200 per lead it managed to sell.
How did it secure the data? Well, it didn’t, the FTC claims.
…they transmitted, passed, or otherwise made consumers’ loan application information available to entities other than “trusted lending partners”. Indeed, Defendants shared consumers’ complete, unredacted loan information with entities that were not engaged in lending, and whose business, use of the leads, and practices for securing sensitive information, were not known to Defendants.
Defendants did not impose any restrictions or conditions to protect against the unauthorized access, use, modification, destruction, or disclosure of consumers’ sensitive personal and financial information when it was placed in the possession of potential buyers or in the possession of entities that received it from Defendants’ potential buyers.
Not only did Blue Media fail to mask consumers’ sensitive financial and personal information when it passed it around to potential buyers, the FTC claims. It also failed to prevent buyers from willy-nilly sharing of the unmasked data with heaven knows what other organizations.
The FTC also accused the company of not taking preventative action or even bothering to investigate after consumers complained that their data had in fact been misused.
The settlement (PDF) includes a $104,470,817 judgment. The FTC said in a press release on Wednesday that payment has been suspended because the defendants are broke.
Blue Global Media filed for bankruptcy protection in January 2017.
Besides the judgment that it can’t pony up, the settlement means that neither the company nor Kay can misrepresent their business and how they handle data in the future. They’ll be required to vet and identify the businesses with whom they sell or share information, and they’ll also be required to get clear consent from consumers before they get their hands on customers’ PII.
From the order:
Defendants shall establish, implement, and maintain procedures to verify the legitimate need for, and monitor the use of, consumers’ Sensitive Personal Information by any Person to whom Defendants sell, transfer, or disclose such information.
Readers, have you been taken for a payday-loan ride? Has it happened to anybody you know? There’s a full list of the 38 Blue Media domains in the FTC’s complaint (PDF).
Please do share your horror stories so others can, hopefully, sidestep similar scumbag sites!
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KfC4Q_Gq-0Q/
Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the 
