FTC Will Require Illusory Systems to Return Money Stolen by Hackers and Implement an Information Security Program

The FTC alleged that Illusory’s security failures allowed hackers to exploit a coding vulnerability and steal $186 million from consumers The Federal Trade Commission is taking action against Illusory Systems Inc. for failing to implement adequate data security measures, leading to a major security breach in which hackers stole $186 million from consumers. Under a proposed order settling the FTC’s allegations, Utah-based Illusory, which does business as Nomad, will be required to implement an information security program to address numerous alleged security failures and to return recovered money to affected consumers. “The FTC Act requires companies to take reasonable security measures,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “It’s important that companies live up to their security promises to consumers.” In its complaint, the FTC alleged that Nomad prominently touted its security in its advertising, claiming that it offered “security-first” services. The FTC, however, alleged that the company failed to live up to these promises by failing to: use secure coding practices; implement processes for receiving and addressing vulnerability reports and responding to security incidents; and utilize widely known technologies that might have helped mitigate consumer losses. According to the complaint, in June 2022, Nomad introduced inadequately tested code that included a significant vulnerability. Just over a month later, hackers began exploiting the vulnerability. The FTC alleged that Nomad failed to respond to the attack in time because of its inadequate security and incident response measures, which led to the loss of $186 million. The company was able to recover some money, but consumers lost approximately $100 million. Nomad was warned about the dangers of inadequate testing as well as the need to ensure it had adequate staff and security in place. The company, however, failed to implement basic safety measures that would mitigate consumer losses, the FTC alleged. Under the proposed order, Nomad will be prohibited from making misrepresentations about its security practices. In addition, the company will also be required to: Implement a comprehensive information security program that is designed to protect consumers from theft or other unauthorized access and address the security issues outlined in the FTC’s complaint; Obtain biennial assessments of its information security program by an independent third party and cooperate with the third-party assessor; and Return to consumers money recovered following the security breach that was not already returned to customers.