Privacy & Information Security Law Blog

On December 16, 2025, the Federal Trade Commission (“FTC”) announced an enforcement action against Illusory Systems Inc., a Utah-based company doing business as Nomad, following a major data breach in which hackers stole $186 million from consumers. The FTC alleges that Illusory Systems failed to implement adequate data security measures, which allowed hackers to exploit a vulnerability in the company’s code.

According to the FTC’s complaint, Illusory Systems advertised itself as a “security-first” company but failed to use secure coding practices, implement processes for addressing vulnerability reports or use technologies that could have reduced the risk of consumer losses. In June 2022, the company introduced code that contained a significant vulnerability. Hackers began exploiting this vulnerability just over a month later. The FTC alleges that the company’s inadequate incident response measures led to the loss, and that even though the company recovered some money, consumers lost approximately $100 million.

The proposed FTC order prohibits the company from making misrepresentations about its security practices and requires Illusory Systems to implement a comprehensive information security program. The company would also be required to go through biennial assessments of its security program by an independent third party and return recovered money to affected consumers that had not already been returned. The order is currently open for public comment.