Credit Karma Agrees To A Settlement

Why Was Credit Karma Sued?

Credit Karma was sued by the FTC because they disabled SSL for multiple years, which is a security certificate used to verify that data safe and secured from third parties. This leaves credit card data, social security numbers, full names and addresses vulnerable to attacks.

In the end they agree to settle with the FTC on charges of misrepresentation of security and failure to secure information

Was Any Information Leaked?

According to Credit Karma no information was leaked due to this security vulnerability, but it’s difficult to know for certain with the types of attacks hackers could perform as they are by design discreet.

What Was The Settlement Amount?

  • Agreement to establish more comprehensive security programs
  • Undergo independent security assessments every other year for the next 20 years

They also must not misrepresent the security of their applications or websites or any other product or service they operate. No other settlement payment has been announced as of yet.

What Does This Mean To You?

If you are or were a Credit Karma customer, it means that whilst they claimed “industry-leading security precautions” and that they used SSL, this was in fact not the case for a long time on their iOS & Android apps. It isn’t clear if SSL was also not used on their website.

This has since been fixed, in a large part thanks to the FTC. Credit Karma doesn’t know if any of this data was leaked, but they don’t have any reason to believe it is. When this usually happens the offending company is usually required to provide consumers with a free copy of their credit report and credit monitoring, this hasn’t been ordered by the FTC as there is no evidence that the data was actually accessed.

It’d also be interesting to see how a company that provides free credit monitoring would deal with providing free credit monitoring under the governments guidelines. At this stage we suggest all Credit Karma users get a copy of their credit report from annualcreditreport.com to see if there have been any new accounts opened in their name unknowingly.

Hat tip to the FTC