[BreachExchange] Virtual dress-up website settles with the FTC following data breach
Destry Winant
destry at riskbasedsecurity.com
Mon Apr 29 09:13:58 EDT 2019
https://www.theverge.com/2019/4/27/18518619/i-dress-up-virtual-website-ftc-data-breach
On Wednesday, the Federal Trade Commission settled a case with Onixiz,
the owners of i-Dressup, an online flash game website dedicated to
dressing up virtual dolls and designing clothes. According to the
complaint, the website violated the Children’s Online Privacy
Protection Act (COPPA) and risked its young users’ data security.
i-Dressup operated pretty much like any flash game website you
remember from the early 2000s. It featured timeless classics like
“Sexed-Up Style,” “Floral Hats,” and the “Feminine Ruffle,” some of
which you are still able to play on other dress-up sites that have
apparently ripped the games and republished them.
COPPA requires companies that provide online services or are targeted
to children under 13 to maintain specific privacy standards, like
receiving parental consent and providing “reasonable” data security
for its young users. The FTC complaint claims that i-Dressup failed
the test for compliance on both of those fronts.
The data security problems were particularly pronounced. In 2016, Ars
Technica reportedthat the site exposed the passwords belonging to more
than 5.5 million user accounts in plaintext and a hacker was able to
download millions of credentials by using a SQL injection attack,
which exploited vulnerabilities in i-Dressup’s security
infrastructure, or lack thereof. According to the press release, about
245,000 of those users were under 13 years of age.
It wasn’t until 2018 that the website was finally forced offline by
the New Jersey Department of Consumer Affairs as a response to the
2016 data breach. In a statement at the time, New Jersey Attorney
General Gurbir S. Grewal said, “Children are extremely vulnerable on
the internet and we must do all we can to protect them from being
exploited by advertisers or tracked by internet predators.” Who these
predators were is unclear, but they certainly weren’t addressed in the
FTC’s press release this week.
In the comments of posts on the website’s Facebook page “i-Dressup.com
Dress up games for people who love fashion,” reactions to the
website’s removal included one user writing, “I cannot open
i-dressup.Its showing SQL ERROR...why?? I am scared.” Others said,
“,this was my favorite game in the world.i just cant belive it was
hacked” and “I can’t play the game.”
In order to settle the case for the COPPA violations, i-Dressup’s
owners will pay out $35,000 in civil penalties, which will go to the
US Treasury. According to the FTC, i-Dressup’s owners are “prohibited
from violating COPPA in the future, and can’t sell, share, or collect
any personal information until they implement a comprehensive data
security program and get independent biennial assessments.” It’ll also
be required to submit annual compliance certificates to the agency in
the future as well.
No word from i-Dressup on whether it’ll relaunch in the future.
More information about the BreachExchange
mailing list