A federal lawsuit filed Wednesday claims that popular App Store app developer Storm8 may have bypassed safeguards in order to obtain data such as phone numbers via games downloaded over 20 million times.

World War, iMobsters, Racing Live, Vampires, Kingdoms, Zombies Live, Rockstars Live and Ninjas Live are some of the iPod Touch and iPhone titles listed on Storm8’s website. Court documents point to “secret code” written into games to circumvent protections preventing apps from collecting data on unsuspecting users:

“…Storm8 makes use of the ‘backdoor’ method to access, collect, and transmit the wireless phone numbers of the iPhones on which its games are installed,” states the complaint, which was filed in US District Court in Northern California. “Storm8 does so or has done so in all of its games.”

The Register points to a column written back in August about privacy concerns and the iPhone. The columnist highlights data-gathering in Storm8’s Vampires Live mini MMORPG:

One of the best selling iPhone app is Vampires Live, a very cool game which is a take off from the current pop culture fascination with vampires. The app is built by Storm8 and is the 8th best selling iPhone app.

The game is essentially an massive multi-player online game which will use your 3G or WiFi connection. 3G is your data plan. So far so good. While playing vampires is fun, it does not involve exchanging phone numbers with other players. In fact, no one needs your phone number to play with you.

But guess what?

Without your permission, Storm8 harvests both your UDID, phone number, email and name (on registration).

(Examples of code.)

As you can see, the personally identifiable information which is the PNUM is being transmitted and I guess stored with Storm8’s servers. For non-technical types, PNUM is phone number and I changed the telephone number on the log to hide my personal number. I would not want just anyone to have my personal phone number. Worst of all, the information is transmitted unencrypted in plain text.

Storm8 is claiming that the data collection was unintentional and part of a “”a bug that has been fixed.” But the prosecution is skeptical, saying the developers used “very specific and specialized software code to do so.” The claimant in the case is hoping to obtain class action status.

[Source: The Register]

Related posts:

1. iPhone Surveillance: Your Phone Is Watching
2. Repeat after me: the Google Phone is not an iPhone killer
3. The new iPhone IS a gaming platform

In a statement George Paz, the company president said

“We are cooperating with the FBI and are committed to doing what we can to protect our members’ personal information and to track down the person or persons responsible for this criminal act,”

The company came clean in light of the sentencing of three New Yorkers involved in the Citibank theft of account card numbers that I wrote about yesterday here at The Inquisitr. Express Script said it got the letter back in early October and while it isn’t aware of any misuse of the stolen data it has notified those affected as well as setting up a website to help their customers out.

Related posts:

1. Google Employee Data Stolen
2. Kaspersky site hacked to exposed sensitive data
3. Twitter-Based Impersonator Exposed

A burglary at a third-party human resource company included computers with files of Google employees hired prior to 2006, according to a letter from Google to the New Hampshire Attorney General. The files were stored at a company called Colt Express Outsourcing Services and contained names, addresses, and social security numbers.

Some Google employees were notified of the breach as recently as Tuesday. The company is offering to pay for a year-long identity theft monitoring service for those affected.

CNET learned last month 6,500 of its own employee records were also stolen in the same burglary from the office. It is also offering an identity theft monitoring service free of charge to its affected employees.

Related posts:

1. Google’s next big business – employee predictions
2. Exclusive: VisaLink Exposes Personal Data
3. Patient data threatened to be exposed in extortion attempt