Oracle settles FTC charges that it deceived with security updates

Oracle settles FTC charges that it deceived with security updates
© Getty Images

Oracle has agreed to settle federal allegations that the tech giant misled customers about security updates for popular software installed on more than 850 million personal computers.

According to the Federal Trade Commission (FTC) charges, the deception left these computer users unknowingly exposed to malware and cyberattacks.

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection.

In its complaint, the FTC alleged that Oracle was aware of security flaws within old versions of the widely used Java software platform, which the company acquired in 2010.

According to the FTC, these security issues allowed hackers to develop malware that lifted people’s usernames and passwords for financial accounts.

Oracle offered updates for the Java software, promising it would make the system “safe and secure.” But the FTC said those updates only removed the most recent version of Java, leaving the flawed older versions installed on computers.

The FTC said it uncovered internal documents showing Oracle was aware its update process was insufficient, but did not properly notify customers or act aggressively enough to correct the shortcomings.

Under the terms of the settlement, Oracle must notify customers about these potential risks and give them a way to uninstall the defective versions of Java.

“The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers,” Rich said.

In recent years, the FTC has become the de facto data security regulatory agency, as Congress has been unable to move a data breach bill that would set nationwide security standards.