If you participate in the Upromise college savings program and used the TurboSaver Toolbar on its website, you may have had your personal information, including account numbers and other sensitive data, collected without your knowledge, federal investigators say.
The Federal Trade Commission announced recently it has reached a settlement with Upromise to destroy any data it collected, provide "clear and prominent disclosures" to users, obtain users' permission before installing any similar data collector and establish a comprehensive information security program.
Upromise offers college savings through rebates on purchases of items or services bought from its partner merchants. The rebates are placed in college savings accounts such as 529 accounts.
The FTC said Upromise offered participants its TurboSaver Toolbar as a way to identify merchants that provide rebates by highlighting them in search results.
When downloading the toolbar, consumers were encouraged to enable the "personalized offers" feature, which would collect information about websites that users visited to provide individualized savings opportunities.
Upromise told users the information would be encrypted and while names, addresses, email addresses and similar information might infrequently and inadvertently be collected, that information would be removed before the data was transmitted, the FTC said.
Authorities said that wasn't the case. According to a news release:
"The FTC alleges the Toolbar with the 'Personalized Offers' feature enabled collected and transmitted, in clear text, the names of all websites consumers visited and which links they clicked on, as well as information they entered into some webpages, such as search terms, user names and passwords.
In some cases, the information collected included credit card and financial account numbers, user names and passwords used to access secured websites, security codes and expiration dates, and any Social Security numbers consumers entered into the webpages. The Toolbar transmitted consumers' information without encryption."
Upromise issued this statement:
"Two years ago, we learned that an issue with a vendor's software created the potential for inadvertent data access that could have affected approximately 1 percent of our members. Our members' privacy is extremely important to us, and we took immediate action to resolve the issue. There was no evidence of any misuse of data. We have fully cooperated with the FTC and have addressed their concerns."
The FTC news release and lawsuit do not say if any Upromise users were victims of identity theft because of their data being collected. The fed-eral lawsuit says Upromise stopped collecting data in January 2010. It said about 150,000 people had enabled the personalized version of the toolbar.
The settlement is tentative and will be reviewed further following a 30-day public comment period.
Interested parties can submit written comments electronically at https://ftcpublic.commentworks.com/ftc/upromiseconsent.
Comments in paper form should be sent to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.