New York settles with Equifax and others over lax mobile app security

“Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises,” Underwood said in a statement. “My office is committed to holding businesses accountable and ensure they protect users’ personal information from hackers.” Underwood’s office said the apps in question failed to properly authenticate SSL/TLS certificates, which could allow third parties to intercept user data like passwords, social security numbers, credit card information and bank account numbers.

The attorney general’s office confirmed to Engadget that there were no monetary penalties associated with the settlements. But it said in a press release that the agreements were a result of an ongoing effort to identify security vulnerabilities before any user information had been stolen. “As part of this initiative, the office tested dozens of mobile apps that handle sensitive user information, such as credit card and bank account numbers,” it said.

Update 12/14/18 9:25PM ET: A Priceline spokesperson sent Engadget the following statement on the matter:

In March 2016, the New York State Office of the Attorney General notified Priceline about a potential vulnerability on our Android app. Priceline fixed this issue shortly thereafter. The vulnerability was due to a flaw in a third party’s software library that overrode the code in certain versions of the app. Despite the flaw, SSL encryption was still deployed on the app. Over the course of the inquiry, Priceline did not uncover evidence that any customer data was impacted. As the NYS AG’s office correctly noted, the office’s inquiry was intended to find vulnerabilities before any information was compromised. Priceline cooperated fully to address this issue in 2016, and has continued to evolve our security capabilities. The careful stewardship of customer data is our highest priority.