IDG News Service - The U.S. Federal Trade Commission has reached a settlement with Petco Animal Supplies Inc. on charges that the company's Web site violated federal law by making deceptive security claims.
A security flaw in the pet supply retailer's Web site left customers' credit card numbers exposed to attackers. The FTC alleges that Petco didn't take reasonable measures to protect its Web site and made deceptive claims in stating that customers' credit card numbers would be "shielded from unauthorized access."
The flaw was exploited in a June 2003 attack on Petco.com, which enabled a visitor to read customer data stored in Petco's database. According to Petco, the attack was perpetrated by an independent security consultant named Jeremiah Jacks, who immediately informed Petco of the vulnerability.
The vulnerability exposed only a limited amount of customer information, a Petco spokesman said. "What he got was credit card numbers, but there was no other customer information accompanying those numbers," he said.
Under the terms of the settlement, announced yesterday, Petco is prohibited from misrepresenting the security of its Web site and must establish a comprehensive security information program, which will be subject to independent audits for the next 20 years, said Alain Sheer, an attorney in the FTC's financial practices division.
Petco could be held in contempt of court if it violates the agreement, he said.
It should help deter other companies from ignoring and misrepresenting security vulnerabilities on their Web sites, Sheer said. "Obviously, there's some pretty bad publicity here. We think that should be a deterrent."
The FTC has reached similar settlements with Eli Lilly and Co., Microsoft Corp., Guess Inc. and Tower Direct LLC, Sheer said.
"Petco is committed to keeping all customer information obtained through our Web site and stores private and secure," the Petco spokesman said.
Meanwhile, in a separate but related action, the FTC announced that it has charged Sunbelt Lending Services Inc. of Clearwater, Fla., and Nationwide Mortgage Group Inc., of Fairfax. Va., for "significant failures" to comply with the agency's Gramm-Leach Bliley (GLB) Safeguards Rule.
The Safeguards Rule requires companies to put in place reasonable measures for protecting confidential customer information. These are the first such cases involving enforcement of the Safeguards Rule.
According to a statement from the FTC, both the companies failed to comply with the rule's basic requirements, "including that they assess the risks to sensitive customer information and implement safeguards to control these risks.
"In addition, Nationwide failed to train its employees on information security issues; oversee its loan officers' handling of customer
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
