Feeds

Guess settles with FTC over cybersecurity snafu

A little hacking goes a long way

  • alert
  • submit to reddit

Build a business case: developing custom apps

A little hacking went a long way this week when the Federal Trade Commission announced that Guess Inc. has agreed to overhaul its information security practices, to settle a rare FTC action kindled by young Southern California programmer who discovered a security hole on the fashion retailer's e-commerce site last year.

Jeremiah Jacks, now 20, discovered in February, 2002, that Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all, by Jacks' count. After a week of failed efforts to persuade Guess to fix the vulnerability, Jacks contacted SecurityFocus and provided a URL that demonstrated the hole. A reporter contacted Guess, which then fixed the problem within hours.

The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess, based on language in the company's privacy policy that assured visitors, "All of your personal information including your credit card information and sign-in password are stored in an unreadable, encrypted format at all times." Under the settlement announced Wednesday, Guess is prohibited from misrepresenting the extent to which it protects the security of customers' personal information. The company must also establish and maintain a comprehensive information security program, certified by an independent professional each year for the 20-year life of the order. Any violation of the order can trigger an $11,000 fine.

"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

The Guess case is only the third time the FTC has used its anti-consumer fraud mandate to crack down on e-commerce cybersecurity gaffes -- last year it won a consent decree against Eli Lilly for the inadvertent disclosure of the e-mail addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. "We are hoping that these cases send a message to other companies," says FTC associate director Jessica Rich.

Jacks, now working as a programmer in the Orange County office of a Japanese toy company, is bemused over his role in the commission's example-making. "Well, it was a lot of credit cards," he says.

"A Slap on the Wrist"

The FTC approached Jacks shortly after SecurityFocus reported on Guess' security problems, and the programmer says he reluctantly talked FTC attorney Jeff Davidson and other staffers through the intricacies of SQL injection in a series of phone calls. "I remember he was talking about how they were going to indict them or something," says Jacks. "He was freaking me out a little bit, because he told me he might want me to come testify in Washington... That made me a little leery."

Perhaps wary of being seen as allied with hackers, the FTC hasn't officially acknowledged Jacks contribution. But Davidson confirmed last year that he'd been in contact with the coder. Indeed, with the hole already sealed as the investigation began, the commission had little else to go on initially. "When he called me up there was really no proof," says Jacks.

Wednesday's settlement does not constitute an admission of wrongdoing by Guess, and spokesperson Molly Morse says the company's claim that it stored customer information securely was only intended to refer to its use of SSL to encrypt data in transit, between the customer and the Guess website. "They kept a copy of the information unencrypted, so they could keep it for financial purposes," Morse admits. The company says it cooperated with the FTC, and has already upgraded security on Guess.com.

Gartner analyst John Pescatore calls the FTC sanctions a "slap on the wrist." But he adds that dragging Guess' cybersecurity issues into the light of day will help persuade other companies to take security more seriously. "It's a form of disclosure," says Pescatore. "It's causing exposure for the companies that are leaving these things open... That's a lot more meaningful than the audits and $11,000."

In that respect, Pescatore says, the case offers a preview of what life will be like for e-commerce firms when California's mandatory-disclosure law takes effect on July 1st. Called SB 1386, that law says that any company doing business over the Web must disclose security breaches that result in the leaking of a California customer's credit card, drivers license or social security number.

That could mean a lot of disclosures this summer. "There's tons of companies out there that I found SQL injections on," says Jacks, who still pokes around when his normal Web surfing takes him to a new site. "I'm surprised they spent so much time on Guess, when there are so many other companies out there with the same problem."

© SecurityFocus.com

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?