Feeds

Tower Records settles charges over hack attacks

Must improve security

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Music retailer Tower Records on Wednesday settled charges with federal investigators arising from a security gaffe on the company's ecommerce site, which for a time made the buying habits of online customers accessible to outsiders.

The settlement requires Tower to establish and maintain a comprehensive information security program, which will be certified by an independent expert within six months, and bi-annually thereafter for 10 years. Additionally, the company agreed not to misrepresent the extent to which it protects customer information from unauthorized access. Each violation of the agreement could put the company on the hook for an $11,000 fine.

The case stemmed from an incident in late 2002, when a site redesign introduced a vulnerability into Tower's ecommerce store front that allowed Web users to peruse other customers' order histories by bringing up an order status page, and simply changing the order number in the URL. The gaffe exposed names, billing and shipping addresses, email addresses, phone numbers, and past Tower purchases.

In the eight days that the hole was open, personal information on over least 5,000 customers was accessed by unauthorized third-parties, "and at least two Internet chat rooms contained postings about the vulnerability as well as comments about some consumers' purchases," according to the original Federal Trade Commission complaint.

"In a fast moving world of electronic commerce, change is inevitable," Howard Beales, director of the FTC's Bureau of Consumer Protection, said in a statement. "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities."

In a statement, Tower Records emphasized that no credit card or social security numbers were exposed in the breach. "We take the privacy and security of personal information collected from our customers very seriously, and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," said Bill Baumann, chief information officer of Tower.

The case is the FTC's fourth enforcement action arising from corporate computer security or privacy slip-ups. In 2002, the commission won a consent decree against Eli Lilly for the inadvertent disclosure of the email addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. Last year the FTC reached a settlement with fashion-retailer Guess after a hacker reported an SQL injection vulnerability on Guess's website that could have exposed over 200,000 credit card numbers with corresponding names and expiration dates.

The FTC has no direct authority to act as the Internet's security police, but it can take action in cases of false or deceptive trade practices. As in the earlier cases, Tower Record's privacy policy opened the door, with promises like, "We use state-of-the-art technology to safeguard your personal information," and "Your TowerRecords.com Account information is password-protected. You and only you have access to this information."

Testifying at a House subcommittee hearing on cyber security Wednesday, FTC commissioner Orson Swindle said the agency isn't just playing "gotcha" with vulnerable ecommerce companies. "Breaches can happen... even when a company has taken every reasonable precaution," Swindle testified. "When we find a failure to implement reasonable procedures, however, we act."

Related stories

Powergen vs whistle-blower case adjourned
No effect seen in US hack disclosure law
US hosting company reveals hacks, citing disclosure law
Guess leaks credit cards of the fashion-conscious
Bill Gates hacker escapes jail
Amazon division hacked, thousands of CCs exposed

The next step in data security

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Bono: Apple will sort out monetising music where the labels failed
Remastered so hard it would be difficult or impossible to master it again
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.