Feeds

Tower Records settles charges over hack attacks

Must improve security

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Music retailer Tower Records on Wednesday settled charges with federal investigators arising from a security gaffe on the company's ecommerce site, which for a time made the buying habits of online customers accessible to outsiders.

The settlement requires Tower to establish and maintain a comprehensive information security program, which will be certified by an independent expert within six months, and bi-annually thereafter for 10 years. Additionally, the company agreed not to misrepresent the extent to which it protects customer information from unauthorized access. Each violation of the agreement could put the company on the hook for an $11,000 fine.

The case stemmed from an incident in late 2002, when a site redesign introduced a vulnerability into Tower's ecommerce store front that allowed Web users to peruse other customers' order histories by bringing up an order status page, and simply changing the order number in the URL. The gaffe exposed names, billing and shipping addresses, email addresses, phone numbers, and past Tower purchases.

In the eight days that the hole was open, personal information on over least 5,000 customers was accessed by unauthorized third-parties, "and at least two Internet chat rooms contained postings about the vulnerability as well as comments about some consumers' purchases," according to the original Federal Trade Commission complaint.

"In a fast moving world of electronic commerce, change is inevitable," Howard Beales, director of the FTC's Bureau of Consumer Protection, said in a statement. "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities."

In a statement, Tower Records emphasized that no credit card or social security numbers were exposed in the breach. "We take the privacy and security of personal information collected from our customers very seriously, and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," said Bill Baumann, chief information officer of Tower.

The case is the FTC's fourth enforcement action arising from corporate computer security or privacy slip-ups. In 2002, the commission won a consent decree against Eli Lilly for the inadvertent disclosure of the email addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. Last year the FTC reached a settlement with fashion-retailer Guess after a hacker reported an SQL injection vulnerability on Guess's website that could have exposed over 200,000 credit card numbers with corresponding names and expiration dates.

The FTC has no direct authority to act as the Internet's security police, but it can take action in cases of false or deceptive trade practices. As in the earlier cases, Tower Record's privacy policy opened the door, with promises like, "We use state-of-the-art technology to safeguard your personal information," and "Your TowerRecords.com Account information is password-protected. You and only you have access to this information."

Testifying at a House subcommittee hearing on cyber security Wednesday, FTC commissioner Orson Swindle said the agency isn't just playing "gotcha" with vulnerable ecommerce companies. "Breaches can happen... even when a company has taken every reasonable precaution," Swindle testified. "When we find a failure to implement reasonable procedures, however, we act."

Related stories

Powergen vs whistle-blower case adjourned
No effect seen in US hack disclosure law
US hosting company reveals hacks, citing disclosure law
Guess leaks credit cards of the fashion-conscious
Bill Gates hacker escapes jail
Amazon division hacked, thousands of CCs exposed

Beginner's guide to SSL certificates

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
4chan outraged by Emma Watson nudie photo leak SCAM
In the immortal words of Shaggy, it wasn't me us ... amirite?
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.