FTC Alleges Lax Data Practices Led to Utah Developer's $186M Breach
Illusory Systems violated the FTC Act by failing to implement data security measures as advertised, which enabled a $186 million breach, the agency alleged Tuesday in a proposed settlement with the Utah-based blockchain developer.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Illusory Systems, which does business as Nomad, failed to live up to data security promises to consumers, the agency said. The company didn’t “use secure coding practices; implement processes for receiving and addressing vulnerability reports and responding to security incidents;” or “utilize widely known technologies that might have helped mitigate consumer losses,” the FTC said.
The non-monetary settlement requires Nomad to “implement an information security program to address numerous alleged security failures and to return recovered money to affected consumers.”
The company designed and advertised a service that “allows users to transfer messages and assets, a type of platform commonly known as a ‘cross-chain bridge,’” according to the FTC. The agency said hackers exploited Nomad’s unsecured system in August 2022 and transferred out about $186 million of consumer assets. Users ultimately lost more than $100 million, the agency said. An attorney for Nomad didn’t comment Tuesday.