Debt Sellers Must Notify Customers after Posting Personal Information Online
A federal court ordered two debt sellers to notify approximately 70,000 consumers after they posted sensitive personal information online, putting consumers at risk for identity theft and fraud.
The Federal Trade Commission (FTC) issued the complaint after debt sellers posted consumers' bank accounts, credit card numbers, birth dates, contact information, work information and debt information on a public website. The complaints allege that the sellers exposed this information in the course of trying to sell portfolios of past-due payday loan, credit card, and other purported debt.
According to the complaint, the defendants posted their portfolios, in the form of Excel spreadsheets, on the website without encryption, appropriate redaction, or any other protection, meaning any visitor to the website could access and download the spreadsheets. The website caters to the debt collection industry but was open to public viewing. The FTC alleges that the portfolios have been accessed at least over 500 times.
In its complaints, the FTC alleges the disclosures violated the consumers' privacy, put them at risk of identity theft, and exposed them to phantom debt collection, a practice in which unscrupulous debt collectors try to extract payments from consumers when they do not have authority to collect the debts. The FTC noted that the disclosures also publicly branded the consumers as debtors, putting them at risk of other harms, including possible loss of employment or employment opportunities.
The spreadsheet has since been removed from the website.
The companies are required to notify and provide redress to affected consumers and to implement safeguards to ensure the action is not repeated.