TodayLegal News

Verdict.News

Regulatory

FTC Orders Nomad to Return $186M After Massive Security Breach

The Federal Trade Commission reached a settlement with Illusory Systems Inc., operating as Nomad, requiring the company to return recovered funds and implement comprehensive security measures after hackers exploited coding vulnerabilities to steal $186 million from consumers in July 2022.

AI-generated Summary
4 min readftc-news

Key Takeaways

  • FTC settlement requires Nomad to return recovered funds to consumers and implement mandatory information security program following $186 million hack
  • Company's inadequate coding practices and failure to test software led to preventable security breach in July 2022 that cost consumers $100 million
  • Settlement prohibits misrepresentations about security and requires biennial independent assessments of Nomad's cybersecurity measures

The Federal Trade Commission has taken enforcement action against Illusory Systems Inc., the company operating the Nomad cryptocurrency bridge, for failing to implement adequate data security measures that led to hackers stealing $186 million from consumers. Under a proposed settlement order, the Utah-based company must implement a comprehensive information security program and return all recovered funds to affected consumers.

The enforcement action stems from a July 2022 security breach that the FTC alleges was entirely preventable through basic cybersecurity practices. According to the agency's complaint, Nomad prominently advertised its services as "security-first" but failed to follow through on these promises to consumers.

"The FTC Act requires companies to take reasonable security measures," said Christopher Mufarrige, Director of the FTC's Bureau of Consumer Protection. "It's important that companies live up to their security promises to consumers."

The FTC's investigation revealed that Nomad's security failures were fundamental and widespread. The company allegedly failed to use secure coding practices, implement processes for receiving and addressing vulnerability reports, respond adequately to security incidents, and utilize widely available technologies that could have mitigated consumer losses.

The timeline of events highlights the preventable nature of the breach. In June 2022, Nomad introduced inadequately tested code that contained a significant vulnerability. Despite having over a month to identify and address the flaw, the company failed to detect the security gap. When hackers began exploiting the vulnerability in July 2022, Nomad's inadequate incident response measures prevented the company from stopping the attack in time.

The breach resulted in the theft of $186 million in consumer funds. While Nomad was able to recover some of the stolen money, consumers still lost approximately $100 million. The FTC alleges that the company had been previously warned about the dangers of inadequate testing and the need to ensure proper staffing and security measures were in place.

The proposed settlement order includes several key requirements designed to prevent future security failures. Nomad will be prohibited from making misrepresentations about its security practices, addressing the gap between the company's marketing claims and actual security implementation.

The company must implement a comprehensive information security program specifically designed to protect consumers from theft and unauthorized access. This program must address all the security issues outlined in the FTC's complaint, including the coding practices, vulnerability management, and incident response procedures that contributed to the breach.

To ensure ongoing compliance, Nomad will be required to obtain biennial assessments of its information security program by an independent third party. The company must also cooperate fully with these third-party assessors, providing transparency into its security practices and implementations.

Perhaps most importantly for affected consumers, the settlement requires Nomad to return all money recovered following the security breach that was not already returned to consumers. This provision ensures that any funds the company was able to reclaim from the hackers will go directly back to the victims of the breach.

The Nomad case represents a significant enforcement action in the growing cryptocurrency sector, where security breaches have become increasingly common and costly. The FTC's action sends a clear message that companies operating in the digital asset space cannot simply market themselves as secure without implementing the necessary technical safeguards.

The settlement also highlights the FTC's approach to cryptocurrency regulation, focusing on fundamental consumer protection principles rather than the novel technology itself. By emphasizing that companies must live up to their security promises regardless of their business model, the agency is applying established consumer protection standards to emerging technologies.

For the broader cryptocurrency industry, the Nomad settlement establishes important precedents about security expectations and accountability. Companies offering cryptocurrency services must ensure their security practices match their marketing claims, implement industry-standard security measures, and maintain adequate incident response capabilities.

The case also demonstrates the FTC's willingness to pursue meaningful remedies for consumers affected by corporate security failures. By requiring the return of recovered funds and ongoing independent security assessments, the settlement goes beyond typical monetary penalties to address both immediate harm and future risk.

As the cryptocurrency industry continues to evolve and attract mainstream adoption, the Nomad enforcement action serves as a reminder that established consumer protection principles apply regardless of technological innovation. Companies must implement robust security measures, respond effectively to incidents, and ensure their marketing accurately represents their actual security capabilities.

The proposed settlement order is subject to public comment and court approval. If finalized, it will provide a framework for how the FTC approaches security failures in the cryptocurrency sector and establish expectations for industry participants moving forward.

Topics

cybersecuritydata breachconsumer protectionregulatory enforcementfinancial fraud

Original Source: ftc-news

This AI-generated summary is based on publicly available legal news, court documents, legislation, regulatory filings, and legal developments. For informational purposes only; not legal advice. Read full disclosure →

Related Articles