A security alert service last week alerted the world to the fact a fault existed in Passport’s password re-set function that could be used by would-be hackers to steal a user’s account.

Microsoft promptly temporarily suspended the re-set service in response, but it emerged Microsoft’s failure to correct the problem before last week could land it in hot water with the FTC.

Passport was last year investigated by the FTC over charges relating to the privacy and security of personal information collected from consumers.

Among its findings, the FTC decided Microsoft had falsely represented that it employs reasonable and appropriate security measures under circumstances to maintain and protect the privacy and confidentiality of consumers’ personal information.

In an FTC consent order signed last August, Microsoft was required to implement and maintain a comprehensive information security program. This program must be certified as meeting or exceeding the standards in the consent order by an independent professional every two years.

An FTC spokesperson said companies must take reasonable and appropriate steps and safeguards to comply with its orders. Each violation of an FTC consent order can result in investigation and $11,000 fine.

We have the ability to investigate if there’s an order in place, the FTC said. The spokesperson refused to comment directly on the Microsoft case, but added the largest fines awarded against violators have run up to $4-5m dollars.

A Microsoft spokesperson said the company does have a security program in place as required by last year’s order. He added Microsoft has regular ongoing contact with the FTC, but wouldn’t say whether the company is now under FTC investigation.

Source: Computerwire