LifeLock pulls Wallet app, says it wasn’t compliant with data security standards

LifeLockThe controversial identify theft protection company LifeLock says it has pulled down LifeLock Wallet from app stores over concerns that the app is not compliant with payment card industry standards.

A blog post from LifeLock CEO Todd Davis said all customer data would be deleted from the company’s servers and from the app itself when a user opens the app.

Davis said there was no loss of data, but that removing the app until it is fully compliant with payment card industry data security standards (PCI-DSS) is “the right thing to do.”

We have taken steps to delete all stored information for the mobile app from our servers. Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do.

LifeLock Wallet was billed as a way to securely store personal data on mobile devices – such as your Social Security number, drivers license, credit cards, and passwords.

LifeLock released its wallet app after purchasing the mobile wallet platform Lemon in December 2013 for $42.6 million.

News of the app’s removal from the Google, Apple and Amazon app stores caused LifeLock’s stock to drop by 17% in the two days after the announcement on Friday, 16 May, according to Business Insider.

A LifeLock filing with the US Securities and Exchange Commission (SEC) says the company believed the app’s non-compliance with PCI-DSS would result in a violation of its 2010 settlement with the Federal Trade Commission (FTC) over false claims about its products.

Our consent order with the Federal Trade Commission (FTC) sets forth certain requirements for the security practices of LifeLock and all of its subsidiaries and for our representations to consumers about those practices.

On May 15, 2014, on our own initiative, we informed the FTC Staff of these issues, and we expect to receive further requests for information from the FTC about these issues.

It is possible that this PCI non-compliance of the Wallet mobile application could result in a determination by the FTC that we are not in full compliance with our FTC consent order.

LifeLock’s spotty history

LifeLock’s CEO, Todd Davis, gained notoriety for his company after publicly displaying his Social Security number in ads and daring anyone to steal his identity – which he said was protected against theft by his product.

In fact, someone did steal his identity in 2007, using Davis’s name to secure a $500 loan.

LifeLock’s 2010 settlement with the FTC, which cost the company $12 million in fines, was a result of misleading ads that pledged the company could “guarantee” its customers would be protected against identity theft (the guarantee came with a $1 million backing).

In fact, the FTC said, the protection “left enough holes that you could drive a truck through it.”

LifeLock CEO Todd Davis

The company’s legal worries extend beyond its FTC settlement.

LifeLock has been sued more than 80 times in recent years, including a class action brought by shareholders claiming the company has violated its 2010 settlement with the FTC, according to Courthouse News Service.

In March 2014, LifeLock’s former chief information security officer sued the company, claiming he was fired after he objected to the company allegedly turning off ID theft alerts for its elderly customers in order to reduce the number of calls to its customer support center.

The lawsuit also claims that LifeLock’s security practices were so inadequate as to constitute “fraud” against its shareholders.

Despite the company’s mounting problems, Davis promised that LifeLock Wallet will be back.

Quick tips to prevent identity theft

Here are some simple tips to protect your identity, provided by the Identity Theft Resource Center.

  • Create unique, strong passwords for all your online accounts: use at least eight characters, including a mix of letters, numbers, special characters, and upper/lowercase.
  • Handle your personally identifiable information (PII) with care, and be careful who you give it to.
  • Check your credit reports annually.
  • Don’t carry more cards than necessary.
  • Use a firewall and anti-virus software to protect your computers and mobile devices.

If you think you’ve been a victim of identity theft, contact the major credit reporting agencies, the issuer of your compromised account (bank, credit card company, etc.), and notify your local police department.