Avast customer data sale revelation - users warned over information security

News by Rene Millman

Czechs authorities bounce into action, start an investigation after the disclosure that cyber-security company Avast had harvested customer data before selling it onto other firms.

People should take better care over their data after the disclosure that cyber-security company Avast had harvested customer data before selling it onto other firms.

An investigation by Vice and PC Mag discovered that Avast had been collecting the web browsing data habits from its hundreds of millions of customers to supply some of the world’s biggest firms.

The investigation found that the anonymised web history data could then be traced back to individual users. A subsidiary of Avast, called Jumpshot was tasked with selling the user data from millions of devices to major brands and e-commerce providers.

The expose has led to the Czech data protection authority starting up an investigation into Avast and its activities. In a statement on its website, the authority said that “on the basis of the information revealed describing the practices of Avast Software s.r.o., which was supposed to sell data on the activities of anti-virus users through its ‘Jumpshot division’ the Office initiated a preliminary investigation of the case. 

“At the moment we are collecting information on the whole case. There is a suspicion of a serious and extensive breach of the protection of users’ personal data. Based on the findings, further steps will be taken and general public will be informed in due time, “ said Ivana Janu, president of the Czech Office for Personal Data Protection.

Robert Ramsden-Board, VP EMEA at Securonix, told SC Media UK that the story raises several serious questions about the ethics of processing and selling data, and it should hopefully stand as a reminder to consumers to ensure that their data is protected and safe at all times. 

“It is an unfortunate fact that in this day and age, consumers must be wary of who they trust with their data. When the antivirus companies are the bad guy, it’s difficult to see who is good. The best course of action is to constantly ensure that your personal data stays secure. This can be done by managing preferences on websites, but when it comes to software as a service (SaaS) it becomes even more sinister and we must be even more wary,” he said.

Paul Bischoff, privacy advocate at Comparitech.com, told SC Media UK that while both Avast and AVG offer paid products, the majority of users are on the free versions. 

“As the saying goes, if you're not paying for the product, then you are the product. That wisdom certainly proved true in this case. AVG and Avast abused users' trust and put them at risk, which could well be a death sentence for a business that users rely on for protection,” he said.

Boris Cipot, senior security engineer at Synopsys, told SC Media UK that the recent developments of this case show that GDPR is taken seriously by authorities. 

“I just wonder how many of such cases will need to be uncovered before this type of data trafficking stops and we can finally rest assured that the companies we trust with our data will not reuse it, or in some cases even misuse it,” he said.

The news of data peddling has lead to Avast shutting down Jumpshot.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews