Geeks.com agrees to security audits in wake of data breach

IDG News Service - The operator of the Geeks.com Web site will submit to five outside security audits over the next 10 years as part of a data-breach settlement deal with the Federal Trade Commission, which found that the online retailer had failed to adequately protect its customer data prior to the breach.

Geeks.com, which sells computer supplies and consumer electronics, disclosed the data breach in January 2008 after discovering it the month before. The retailer, which is formally known as Genica Corp., said that the compromised information included the names, street and e-mail addresses, telephone numbers and credit card numbers of affected customers.

The breach was notable because the Geeks.com site prominently displayed a "Hacker Safe" seal provided to companies by McAfee Inc. as part of its ScanAlert vulnerability scanning service. However, McAfee officials said at the time that the Hacker Safe certification — since renamed McAfee Secure — had been withdrawn from Geeks.com on multiple occasions during 2007 after scans found vulnerabilities in its systems.

According to a complaint filed by the FTC, Geeks.com routinely stored sensitive customer data in unencrypted form on its systems prior to discovering the breach. The retailer also didn't "adequately assess" whether its Web applications and network were vulnerable to commonly known and foreseeable hacking attempts, including SQL injection attacks, the FTC said.

Nor did Geeks.com implement "simple, readily available" and inexpensive defenses to thwart such attacks, the commission claimed. The FTC's complaint alleged that the shortcoming enabled hackers to repeatedly exploit the vulnerabilities in Geeks.com's systems from January to June 2007.

In addition, the retailer violated federal law by falsely stating that it had taken appropriate measures to protect personal data, the FTC said. Geeks.com's privacy policy states: "We use secure technology, privacy protection controls and restrictions on employee access in order to safeguard your information."

The settlement with the FTC, announced Thursday, bars Geeks.com from making deceptive privacy and data security claims and requires it to implement and maintain a comprehensive information security program. The deal also requires the company to undergo a third-party audit every other year for the next 10 years in order to ensure that the internal security program meets the standards spelled out in the settlement.

Peter Green, Genica's marketing manager, said the company has worked closely with state and federal law enforcement officials and with computer forensics experts to try to find out who was responsible for the breach and to fix any security problems in its systems. "We have taken this breach very seriously," he said.