The Federal Trade Commission (FTC) has announced a proposed settlement with Illusory Systems Inc., also known as Nomad, after the company failed to put in place proper data security measures. This failure led to a significant security breach in which hackers stole $186 million from consumers.
According to the FTC’s complaint, Nomad had promoted itself as a “security-first” service provider but did not meet its own claims. The FTC alleged that Nomad did not use secure coding practices, lacked processes for addressing vulnerability reports and responding to security incidents, and failed to adopt common technologies that could have reduced consumer losses.
The incident began in June 2022 when Nomad released code containing a major vulnerability. Hackers exploited this weakness just over a month later. Due to insufficient security and incident response procedures, Nomad was unable to stop the attack quickly, resulting in $186 million being stolen. While some funds were recovered, about $100 million remained lost by consumers.
Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, stated: “The FTC Act requires companies to take reasonable security measures. It’s important that companies live up to their security promises to consumers.”
Despite warnings about inadequate testing and the need for better staffing and security measures, the FTC said Nomad did not implement basic safety precautions that could have lessened consumer harm.
Under the terms of the proposed order, Nomad is barred from misrepresenting its security practices and must:
- Create a comprehensive information security program aimed at protecting consumers from theft or unauthorized access;
- Undergo independent third-party assessments of its information security program every two years and cooperate with assessors;
- Return any money recovered after the breach that has not already been returned to affected customers.
The Commission voted 2-0 to approve the proposed complaint and order for public comment. A summary of the consent agreement will be published soon in the Federal Register. The public will have 30 days after publication to submit comments before the Commission decides whether to finalize the consent order. Instructions for submitting comments will be included in the notice published on Regulations.gov.
An administrative complaint from the Commission means it has reason to believe there was a legal violation in the public interest. If finalized, violations of such an order may result in civil penalties up to $51,744 per offense.
M. Hasan Aijaz and Julia Horwitz from the FTC’s Bureau of Consumer Protection are leading this case.
The FTC encourages consumers seeking more information or wishing to report fraud or scams to visit consumer.ftc.gov or ReportFraud.ftc.gov.
