Feeds

Guess settles with FTC over cybersecurity snafu

A little hacking goes a long way

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

A little hacking went a long way this week when the Federal Trade Commission announced that Guess Inc. has agreed to overhaul its information security practices, to settle a rare FTC action kindled by young Southern California programmer who discovered a security hole on the fashion retailer's e-commerce site last year.

Jeremiah Jacks, now 20, discovered in February, 2002, that Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all, by Jacks' count. After a week of failed efforts to persuade Guess to fix the vulnerability, Jacks contacted SecurityFocus and provided a URL that demonstrated the hole. A reporter contacted Guess, which then fixed the problem within hours.

The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess, based on language in the company's privacy policy that assured visitors, "All of your personal information including your credit card information and sign-in password are stored in an unreadable, encrypted format at all times." Under the settlement announced Wednesday, Guess is prohibited from misrepresenting the extent to which it protects the security of customers' personal information. The company must also establish and maintain a comprehensive information security program, certified by an independent professional each year for the 20-year life of the order. Any violation of the order can trigger an $11,000 fine.

"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

The Guess case is only the third time the FTC has used its anti-consumer fraud mandate to crack down on e-commerce cybersecurity gaffes -- last year it won a consent decree against Eli Lilly for the inadvertent disclosure of the e-mail addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. "We are hoping that these cases send a message to other companies," says FTC associate director Jessica Rich.

Jacks, now working as a programmer in the Orange County office of a Japanese toy company, is bemused over his role in the commission's example-making. "Well, it was a lot of credit cards," he says.

"A Slap on the Wrist"

The FTC approached Jacks shortly after SecurityFocus reported on Guess' security problems, and the programmer says he reluctantly talked FTC attorney Jeff Davidson and other staffers through the intricacies of SQL injection in a series of phone calls. "I remember he was talking about how they were going to indict them or something," says Jacks. "He was freaking me out a little bit, because he told me he might want me to come testify in Washington... That made me a little leery."

Perhaps wary of being seen as allied with hackers, the FTC hasn't officially acknowledged Jacks contribution. But Davidson confirmed last year that he'd been in contact with the coder. Indeed, with the hole already sealed as the investigation began, the commission had little else to go on initially. "When he called me up there was really no proof," says Jacks.

Wednesday's settlement does not constitute an admission of wrongdoing by Guess, and spokesperson Molly Morse says the company's claim that it stored customer information securely was only intended to refer to its use of SSL to encrypt data in transit, between the customer and the Guess website. "They kept a copy of the information unencrypted, so they could keep it for financial purposes," Morse admits. The company says it cooperated with the FTC, and has already upgraded security on Guess.com.

Gartner analyst John Pescatore calls the FTC sanctions a "slap on the wrist." But he adds that dragging Guess' cybersecurity issues into the light of day will help persuade other companies to take security more seriously. "It's a form of disclosure," says Pescatore. "It's causing exposure for the companies that are leaving these things open... That's a lot more meaningful than the audits and $11,000."

In that respect, Pescatore says, the case offers a preview of what life will be like for e-commerce firms when California's mandatory-disclosure law takes effect on July 1st. Called SB 1386, that law says that any company doing business over the Web must disclose security breaches that result in the leaking of a California customer's credit card, drivers license or social security number.

That could mean a lot of disclosures this summer. "There's tons of companies out there that I found SQL injections on," says Jacks, who still pokes around when his normal Web surfing takes him to a new site. "I'm surprised they spent so much time on Guess, when there are so many other companies out there with the same problem."

© SecurityFocus.com

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.