FTC Will Require Illusory Systems to Return Money Stolen by Hackers and Implement an Information Security Program

The Federal Trade Commission is taking action against Illusory Systems Inc. for failing to implement adequate data security measures, leading to a major security breach in which hackers stole $186 million from consumers.

Under a proposed order settling the FTC’s allegations, Utah-based Illusory, which does business as Nomad, will be required to implement an information security program to address numerous alleged security failures and to return recovered money to affected consumers.

“The FTC Act requires companies to take reasonable security measures,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “It’s important that companies live up to their security promises to consumers.”

In its complaint, the FTC alleged that Nomad prominently touted its security in its advertising, claiming that it offered “security-first” services. The FTC, however, alleged that the company failed to live up to these promises by failing to: use secure coding practices; implement processes for receiving and addressing vulnerability reports and responding to security incidents; and utilize widely known technologies that might have helped mitigate consumer losses.

According to the complaint, in June 2022, Nomad introduced inadequately tested code that included a significant vulnerability. Just over a month later, hackers began exploiting the vulnerability. The FTC alleged that Nomad failed to respond to the attack in time because of its inadequate security and incident response measures, which led to the loss of $186 million. The company was able to recover some money, but consumers lost approximately $100 million.

Nomad was warned about the dangers of inadequate testing as well as the need to ensure it had adequate staff and security in place. The company, however, failed to implement basic safety measures that would mitigate consumer losses, the FTC alleged.

Under the proposed order, Nomad will be prohibited from making misrepresentations about its security practices. In addition, the company will also be required to:

• Implement a comprehensive information security program that is designed to protect consumers from theft or other unauthorized access and address the security issues outlined in the FTC’s complaint;
• Obtain biennial assessments of its information security program by an independent third party and cooperate with the third-party assessor; and
• Return to consumers money recovered following the security breach that was not already returned to customers.

The Commission voted 2-0 to accept the proposed complaint and order for public comment.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staff attorneys on this matter are M. Hasan Aijaz and Julia Horwitz with the FTC’s Bureau of Consumer Protection.