Feeds

Guess settles with FTC over cybersecurity snafu

A little hacking goes a long way

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

A little hacking went a long way this week when the Federal Trade Commission announced that Guess Inc. has agreed to overhaul its information security practices, to settle a rare FTC action kindled by young Southern California programmer who discovered a security hole on the fashion retailer's e-commerce site last year.

Jeremiah Jacks, now 20, discovered in February, 2002, that Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all, by Jacks' count. After a week of failed efforts to persuade Guess to fix the vulnerability, Jacks contacted SecurityFocus and provided a URL that demonstrated the hole. A reporter contacted Guess, which then fixed the problem within hours.

The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess, based on language in the company's privacy policy that assured visitors, "All of your personal information including your credit card information and sign-in password are stored in an unreadable, encrypted format at all times." Under the settlement announced Wednesday, Guess is prohibited from misrepresenting the extent to which it protects the security of customers' personal information. The company must also establish and maintain a comprehensive information security program, certified by an independent professional each year for the 20-year life of the order. Any violation of the order can trigger an $11,000 fine.

"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

The Guess case is only the third time the FTC has used its anti-consumer fraud mandate to crack down on e-commerce cybersecurity gaffes -- last year it won a consent decree against Eli Lilly for the inadvertent disclosure of the e-mail addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. "We are hoping that these cases send a message to other companies," says FTC associate director Jessica Rich.

Jacks, now working as a programmer in the Orange County office of a Japanese toy company, is bemused over his role in the commission's example-making. "Well, it was a lot of credit cards," he says.

"A Slap on the Wrist"

The FTC approached Jacks shortly after SecurityFocus reported on Guess' security problems, and the programmer says he reluctantly talked FTC attorney Jeff Davidson and other staffers through the intricacies of SQL injection in a series of phone calls. "I remember he was talking about how they were going to indict them or something," says Jacks. "He was freaking me out a little bit, because he told me he might want me to come testify in Washington... That made me a little leery."

Perhaps wary of being seen as allied with hackers, the FTC hasn't officially acknowledged Jacks contribution. But Davidson confirmed last year that he'd been in contact with the coder. Indeed, with the hole already sealed as the investigation began, the commission had little else to go on initially. "When he called me up there was really no proof," says Jacks.

Wednesday's settlement does not constitute an admission of wrongdoing by Guess, and spokesperson Molly Morse says the company's claim that it stored customer information securely was only intended to refer to its use of SSL to encrypt data in transit, between the customer and the Guess website. "They kept a copy of the information unencrypted, so they could keep it for financial purposes," Morse admits. The company says it cooperated with the FTC, and has already upgraded security on Guess.com.

Gartner analyst John Pescatore calls the FTC sanctions a "slap on the wrist." But he adds that dragging Guess' cybersecurity issues into the light of day will help persuade other companies to take security more seriously. "It's a form of disclosure," says Pescatore. "It's causing exposure for the companies that are leaving these things open... That's a lot more meaningful than the audits and $11,000."

In that respect, Pescatore says, the case offers a preview of what life will be like for e-commerce firms when California's mandatory-disclosure law takes effect on July 1st. Called SB 1386, that law says that any company doing business over the Web must disclose security breaches that result in the leaking of a California customer's credit card, drivers license or social security number.

That could mean a lot of disclosures this summer. "There's tons of companies out there that I found SQL injections on," says Jacks, who still pokes around when his normal Web surfing takes him to a new site. "I'm surprised they spent so much time on Guess, when there are so many other companies out there with the same problem."

© SecurityFocus.com

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.