At the request of the Federal Trade Commission, a federal court has ordered two debt sellers that posted the sensitive personal information of more than 70,000 consumers online to notify the consumers and explain how they can protect themselves against identity theft and other fraud in light of the disclosures.
In two separate cases, the FTC alleges the debt sellers posted consumers’ bank account and credit card numbers, birth dates, contact information, employers’ names, and information about debts the consumers allegedly owed on a public website.
The complaints allege that the debt sellers exposed this sensitive information in the course of trying to sell portfolios of past-due payday loan, credit card, and other purported debt.
According to the complaint, the defendants posted their portfolios, in the form of Excel spreadsheets, on the website without encryption, appropriate redaction, or any other protection, meaning any visitor to the website could access and download the spreadsheets, and use the information to exploit consumers.
The website where the information was posted caters to the debt collection industry but was open to public viewing. The FTC alleges that the portfolios have been accessed at least over 500 times.
“Debt brokers and collectors who play fast and loose with people’s sensitive personal and financial information are causing tremendous harm,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies must treat sensitive consumer information with appropriate care and security, and the FTC will take action when they fail to do so.”
In its complaints, the FTC alleges the disclosures violated the consumers’ privacy, put them at risk of identity theft, and exposed them to “phantom” debt collection, a practice in which unscrupulous debt collectors try to extract payments from consumers when they do not have authority to collect the debts. The FTC noted that the disclosures also publicly branded the consumers as debtors, putting them at risk of other harms, including possible loss of employment or employment opportunities.
The defendants in the two cases include Cornerstone and Company, LLC, of Riverside, Calif., and its owner, Brandon Lambert; and Bayview Solutions, LLC, of St. Petersburg, Fla., and its owner, Aron Tomko.
The FTC’s complaints allege the defendants violated the FTC Act by unfairly exposing consumers’ personal information without their knowledge or consent. The agency is asking the court to stop the defendants from repeating these actions in the future and to require the defendants to provide redress to consumers injured by their actions.
The court entered a preliminary injunction against the defendants in the Cornerstone case on September 10, 2014. The defendants in the Bayview case agreed to the entry of a preliminary injunction in their case, which was entered on Nov. 3, 2014. In addition to requiring the defendants to notify affected consumers, the injunctions require the companies to use reasonable safeguards for consumer information in their possession.
This case is part of the FTC’s continuing crackdown on scams that target consumers from every community in financial distress. Due to the FTC’s action, the spreadsheets containing the consumers’ personal information have been removed from the internet.