Agency Alleges Security Flaws Placed Consumers' Credit Card Numbers at Risk to Hackers
In the FTC's third case targeting companies that misrepresent the security of consumers' personal information, designer clothing and accessory marketer Guess, Incorporated has agreed to settle Federal Trade Commission charges that it exposed consumers' personal information, including credit card numbers, to commonly known attacks by hackers, contrary to the company's claims. The agency alleges that Guess didn't use reasonable or appropriate measures to prevent consumer information from being accessed at its Web site, Guess.com. The settlement will require that Guess implement a comprehensive information security program for Guess.com and its other Web sites.
"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. "It's not just good business, it's the law," he said.
Guess has sold Guess-brand clothing and accessories online at www.guess.com since 1998. According to the FTC complaint, since at least October 2000, Guess' Web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks" and other web-based application attacks. Guess' online statements reassured consumers that their personal information would be secure and protected. The company's claims included "This site has security measures in place to protect the loss, misuse, and alteration of information under our control" and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times." In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess' security measures failed to protect against SQL and other commonly known attacks. In February 2002, a vistor to the Web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess' databases, according to the FTC.
To assist businesses in addressing these and other common vulnerabilities, the FTC has developed a fact sheet for business, "Security Check: Reducing Risks to your Computer Systems." Although computer systems aren't a company's only responsibility related to information security, they are an important one. With new vulnerabilities announced almost weekly, many business may feel overwhelmed trying to keep current. "Guidance is available from leading security professionals who put together consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce the risks," according to the publication. The publication points to two web sites that can be of help: One identifies the 20 most critical Internet Security vulnerabilities at www.sans.org/top20; the other identifies the 10 most critical Web application security vulnerabilities at www.owasp.org.
The Guess settlement prohibits the company from misrepresenting the extent to which it maintains and protects the security of personal information collected from or about consumers. It also requires that Guess establish and maintain a comprehensive information security program. In addition, Guess must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within a year, and every other year thereafter.
The Commission vote to accept the proposed consent agreement was 5-0. An announcement regarding the agreement will be published in the Federal Register shortly. The agreement will be subject to public comment for 30 days, until July 18, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
NOTE: A consent agreement is for settlement purposes only and does not constitute an admission of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $11,000.
Copies of the complaint and consent agreeement are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 022-3260)
Claudia Bourne Farrell
Office of Public Affairs
Bureau of Consumer Protection