The Federal Trade Commission has settled a case alleging that a debt broker disclosed too much personal information about debtors in online postings marketing their portfolios for sale. The agency filed a lawsuit in DC federal court Friday to formalize the settlement, with the judge issuing an order yesterday accepting the settlement terms.

The FTC’s alleged that in the past three months alone, the defendants had “posted at least twenty-one portfolios of purported debts [online] containing the unencrypted, unmasked, sensitive personal information of more than 28,000 consumers.”

In explaining the case, the FTC said that the defendants — Bayview Solutions, a debt broker headquartered in Florida — uses web sites that cater to debt buyers and sellers to post portfolios for sale. Most of the sites require registration, verification, and login before users are able to view marketed portfolios.

But on at least one unnamed site, the FTC says that access to the portfolios is not restricted and anyone can see the portfolios. This is generally not an issue because sellers post summary information on the portfolios, such as type of debt, number of accounts, total face value, etc. In some instances, sellers also post sample portions of their portfolios, but redact or mask personal identifiers that would disclose a consumer’s identity or compromise the consumer’s sensitive personal information.

The FTC alleged that Bayview did not take the appropriate steps to redact sensitive information in their portfolio samples.

“On at least twenty-one occasions, Defendants have offered their debt portfolios for sale by posting them on this website in the form of unencrypted, unprotected Excel spreadsheets,” according to the filing. “Since July 16, 2014 alone, Defendants have posted at least twenty-one portfolios of purported debts on this website, containing the unencrypted, unmasked, sensitive personal information of more than 28,000 consumers. More specifically, Defendants have offered their debt portfolios by posting messages on the website that have included summary descriptions of their portfolios in the body of the message, and the unencrypted, unprotected portfolios in the form of Excel spreadsheets as attachments to the messages.”

The federal agency notes that Bayview did partially redact some of the information in the spreadsheets. But the FTC said it wasn’t enough as “that information is easily discerned based on other disclosed information.” Some of the information included personal identifiers such as name and address and more sensitive financial information like bank account and routing numbers.

A settlement was signed in September in which the debt broker admitted no wrongdoing and agreed to stop the practice. Despite the recent developments, Bayview says it has already put the matter behind them.

In a statement provided to insideARM, the company noted, “Last summer we made a mistake, we had a glitch. We cooperated with the FTC and resolved the matter with a signed settlement. It affected a small part of our inventory, which we have isolated. We notified all affected consumers, according to the settlement, and we have taken steps to make sure this does not happen again. We have put the issue behind us, business is good and we are looking forward to helping our clients grow their business.”