LifeLock
American identity theft protection software
From Wikipedia, the free encyclopedia
LifeLock is identity theft prevention software, initially sold by the LifeLock company, and now sold by Gen. The software was marketed as NortonLifeLock after 2017 and is also bundled with several Norton 360 products. LifeLock monitors for identity theft, the use of personal information, and credit score changes.[1][2]
 | |
| Company type | Public |
|---|---|
| GEN | |
| Industry | Identity theft protection |
| Founded | 2005 in Tempe, Arizona |
| Founder | Robert Maynard Jr. and Todd Davis |
| Headquarters | Tempe, Arizona |
| Parent | Gen Digital |
| Website | https://lifelock.norton.com/ |
History
Corporate governance
LifeLock was co-founded in 2005 by Robert J. Maynard and Todd Davis in Tempe, Arizona.[3][4]
Maynard resigned from LifeLock in June 2007 following a story published in Phoenix New Times that questioned claims that his identity was stolen.[5][6][7] Maynard, Jr. was succeeded by co-founder Todd Davis the same year.
The same year, Davis publicly posted his Social Security number as part of a 2007 ad campaign to promote the company's identity theft protection services. Between 2007 and 2008, Davis reported 13 instances of identity theft.[8][9] Davis later stated that the campaign was intended to emphasize the risks of data breaches and promote identity protection.[10]
In 2012, Hilary Schneider joined the company as president and Roy C. Guthrie joined as lead director.[11][12] Four years later, in 2016, the company announced that Schneider would replace Todd Davis as CEO.[11] Davis stepped down from his position and assumed the role of executive vice chairman of the board.[12] Roy C. Guthrie assumed the role of chairman.[12]
Funding
The company started with $2 million in seed funding followed by another $5 million in its Series A funding in 2006 from Bessemer Ventures.[13]
LifeLock raised $6 million in its Series B funding from Kleiner Perkins Caufield & Byers in April 2007.[13] The following January, its Series C Funding raised $25 million, led by Goldman Sachs Group, Inc.[14] In August 2009, a Series D funding round raised $40 million for the company.[15] In March 2013, LifeLock raised $100 million in new equity funding from Bessemer Ventures Partners, Goldman, Sachs & Co., Kleiner Perkins Caufield & Byers, Symantec Corporation, and River Street Management.[16] The funds were used towards the acquisition of ID Analytics, an identity theft risk prediction technology.[17]
In 2012, LifeLock filed for an initial public offering (IPO). announced plans to take its identity theft protection business public[18][19] The company was listed on the New York Stock Exchange beginning on October 3, 2012, trading under the symbol LOCK.[20] LifeLock filed a form with the Securities and Exchange Commission to voluntarily deregister its common stock in 2017 post its acquisition by Symantec for $2.3 billion.[21][22]
Acquisitions, partnerships and mergers
In December 2008, LifeLock entered into an agreement with TransUnion to automate customer credit monitoring alerts.[23]
In March 2012, LifeLock acquired ID Analytics, which operates independently as a wholly owned subsidiary.[17] That August, LifeLock announced its initial public offering (IPO).[18]
LifeLock acquired Lemon Wallet, a digital wallet platform, for $42.6 million, in late 2013.[24][25][26]
LifeLock was acquired by Symantec on February 9, 2017 for $2.3 billion.[21] After Symantec sold its enterprise division to Broadcom, the company was renamed to NortonLifeLock in November 2019. The parent company was further renamed to Gen Digital in 2022, following the merger of NortonLifeLock and Avast.[27][28][29]
Controversies
As part of a 2009 settlement with Experian related to false fraud alerts allegations, LifeLock released a service that did not rely on fraud alerts.[30][31][32]
Federal Trade Commission fines
LifeLock was fined $12 million by the Federal Trade Commission in March 2010 for deceptive advertising.[33] The FTC called the company's prior marketing claims misleading to consumers by claiming to be a 100% guarantee against all forms of identity theft after the co-founder posted his social security number on billboards and commercials to promote the company's “anti data theft protection”.[34]
In 2015, the FTC found LifeLock to be in contempt of the 2010 agreement, stating that they "failed to establish and maintain a comprehensive information security program", and "falsely advertised that it protected consumers' sensitive data". The FTC obtained a $100 million penalty against LifeLock to settle the contempt charge. Of that fine, $68 million was held for class-action refunds to LifeLock customers.
Cybersecurity incidents
2015 refer a friend Security Flaw
In July 2015, security researchers Eric Taylor and Blake Welsh disclosed a cross-site scripting vulnerability on LifeLock’s "refer a friend" webpage. According to The Register, the flaw could have allowed attackers to inject malicious JavaScript, creating opportunities for phishing attempts or account takeover. LifeLock took the affected page offline after being notified and stated that no customer data had been compromised.[35][36][37]
2018 subscriberkey Security Flaw
In July 2018, a flaw was discovered on LifeLock's website that exposed millions of customer email addresses. The security breach involved a numeric subscriberkey parameter which could be sequentially enumerated, allowing anyone to retrieve the email addresses tied to those keys. The flaw was found on a page that allowed unsubscribing from emails. A security researcher, after receiving a marketing email, accessed a link that showed his own subscriberkey. He then wrote a proof-of-concept script to auto-increment the subscriberkey values, retrieving approximately 70 email addresses before stopping. The company took the website offline after being notified, and stated the issue was limited to the marketing opt-out page managed by a third party. [38][39]
2022 credential stuffing attack
In December 2022, LifeLock servers suffered an attack using credential stuffing, and over 6,000 user accounts had their details disclosed, including names, addresses, and phone numbers. The method of attack was to use credentials from previous unrelated breaches. This resulted in a large number of failed login attempts on 16 December 2022. Notification of the breach was sent in January 2023.[40][41][42]