Debt brokers buy and sell consumer debt, and they are responsible for the security of the very sensitive data that’s exchanged.
Two debt brokers have agreed to settle Federal Trade Commission charges that they exposed the financial information of 55,000 consumers while trying to sell portfolios of consumer debt on a public website. The debt brokers allegedly posted unencrypted documents online containing consumers’ names, addresses, credit card numbers, bank account numbers, and amounts the consumers allegedly owed.
The agreements with the FTC require Cornerstone and Company, LLC and its owner, Brandon Lambert, and Bayview Solutions, LLC and its owner, Aron Tomko, to abide by strict new requirements to protect consumers’ sensitive information.
The sensitive data was posted on a website geared for debt buyers, sellers, and other members of the debt collection industry, but accessible to anyone with an Internet connection.
The risks in exposing the data ranged from identity theft to “phantom debt” collection. Phantom debt collection involves predatory debt collectors who try to extract payments from consumers without the authority to collect the debts.
In response to the FTC’s lawsuits, a federal court ordered the website hosting the sensitive information to take it down immediately. It also ordered the defendants to notify the affected consumers that their information had been exposed and of steps they could take to protect themselves.
Under the settlements, the defendants must establish and maintain security programs that will protect consumers’ sensitive personal information. In addition, the companies must have their security programs evaluated both initially and every two years by a certified third party.