MoviePass settles with the FTC over exposing private information, misleading consumers

The FTC also slammed the company for using an array of tricks to keep users from actually using the service.
Movie Pass sign. (Photo by Daniel Boczarski/Getty Images for MoviePass)

Defunct subscription service MoviePass won’t have to pay users for exposing their personal information, or for quietly blocking them from using the movie ticket service’s “one ticket per day” feature.

The now-bankrupt company settled with the Federal Trade Commission Tuesday over allegations that it failed to secure users’ personal information and misled them about the company’s subscription offerings, the agency announced.

The subscription service, which launched in 2011, once attracted more than 3 million paid subscribers for its unrivaled service of offering unlimited movie theater passes for initially just $9.99 a month. The business model turned out to be unsustainable, with the company turning to increased prices and eventually bankruptcy in January 2020 after struggling to retain subscribers.

Failure to secure a server of users’ private information led to the exposure of tens of thousands of names, birthdates, customer card numbers and credit card numbers between at least May and August of 2019, TechCrunch reported at the time. The company’s privacy policy said it encrypted customers payment information but the information in the server was unencrypted.


The company didn’t even take basic steps to secure sensitive information, and its systems were breached,” FTC Commissioner Rohit Chopra tweeted.

The FTC also slammed the company for using an array of tricks to keep users from actually using the service. The company allegedly issued misleading notices about password disruptions and flagged unsubstantiated suspicious activity and potential fraud to invalidate user passwords.

The company also instituted measures to quietly block users from seeing more than three movies per month despite promising consumers one movie per day.

“MoviePass and its executives went to great lengths to deny consumers access to the service they paid for while also failing to secure their personal information,” Daniel Kaufman, the FTC’s acting director of the Bureau of Consumer Protection, said in a press release.

The FTC will not provide restitution since the settlement comes after the company went bankrupt. The proposed consent order requires parent company Helios and Matheson Analytics, Inc. and principal executives Mitchell Lowe and Theodore Farnsworth to enact “comprehensive information security programs” for future businesses and report any data breaches.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts