Security Flaws Allowed Hackers to Access Consumers Credit Card Information
Petco Animal Supplies, Inc., a national seller of pet food, supplies, and services, has agreed to settle Federal Trade Commission charges that security flaws in its www.PETCO.com Web site violated privacy promises it made to its customers and violated federal law. The agency alleges that, contrary to Petco’s claims, it did not take reasonable or appropriate measures to prevent commonly known attacks by hackers. The flaws allowed a hacker to access consumer records, including credit card numbers. The settlement requires that Petco implement a comprehensive information security program for its Web site.
This is the fifth FTC case challenging deceptive claims by businesses about the security they provided for consumers’ personal information.
“Consumers have the right to expect companies to keep their promises about the security of the confidential consumer information they collect,” said Lydia Parnes, Acting Director of the FTC’s Bureau of Consumer Protection. “The FTC will hold companies to their word.”
Petco has sold pet food and supplies to consumers through its online store at www.PETCO.com since February 2001. According to the FTC, Petco made security claims on the Web site, such as:
“At PETCO.com, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access.
Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it.”
According to the complaint, however, the Web site was vulnerable to commonly known Web-based application attacks, such as “Structured Query Language” (SQL) injection attacks. The FTC alleges that Petco created these vulnerabilities in its Web site by failing to implement reasonable and appropriate security measures to secure and protect sensitive consumer information, including simple, readily available defenses that would have blocked such attacks. The agency also charged that the sensitive information Petco obtained through its Web site was not maintained in an encrypted format, as it claimed. As a result, a hacker was able to penetrate the Petco Web site and access credit card numbers stored in unencrypted clear text. The FTC charged that Petco’s claims were deceptive and violated the FTC Act.
The settlement prohibits Petco from misrepresenting the extent to which it maintains and protects sensitive consumer information. It also requires Petco to establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. It requires that Petco arrange biennial audits of its security program by an independent third party certifying that Petco’s security program is sufficiently effective to provide reasonable assurance that the security, confidentiality, and integrity of consumers’ personal information has been protected. The settlement also contains record keeping provisions to allow the FTC to monitor compliance.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through December 15, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: This consent agreement is for settlement purposes only and does not constitute an admission by the defendant of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $11,000.
Copies of the complaint and consent agreement are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 032 3221)
Office of Public Affairs
Bureau of Consumer Protection