Feeds

Tower Records settles charges over hack attacks

Must improve security

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Music retailer Tower Records on Wednesday settled charges with federal investigators arising from a security gaffe on the company's ecommerce site, which for a time made the buying habits of online customers accessible to outsiders.

The settlement requires Tower to establish and maintain a comprehensive information security program, which will be certified by an independent expert within six months, and bi-annually thereafter for 10 years. Additionally, the company agreed not to misrepresent the extent to which it protects customer information from unauthorized access. Each violation of the agreement could put the company on the hook for an $11,000 fine.

The case stemmed from an incident in late 2002, when a site redesign introduced a vulnerability into Tower's ecommerce store front that allowed Web users to peruse other customers' order histories by bringing up an order status page, and simply changing the order number in the URL. The gaffe exposed names, billing and shipping addresses, email addresses, phone numbers, and past Tower purchases.

In the eight days that the hole was open, personal information on over least 5,000 customers was accessed by unauthorized third-parties, "and at least two Internet chat rooms contained postings about the vulnerability as well as comments about some consumers' purchases," according to the original Federal Trade Commission complaint.

"In a fast moving world of electronic commerce, change is inevitable," Howard Beales, director of the FTC's Bureau of Consumer Protection, said in a statement. "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities."

In a statement, Tower Records emphasized that no credit card or social security numbers were exposed in the breach. "We take the privacy and security of personal information collected from our customers very seriously, and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," said Bill Baumann, chief information officer of Tower.

The case is the FTC's fourth enforcement action arising from corporate computer security or privacy slip-ups. In 2002, the commission won a consent decree against Eli Lilly for the inadvertent disclosure of the email addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. Last year the FTC reached a settlement with fashion-retailer Guess after a hacker reported an SQL injection vulnerability on Guess's website that could have exposed over 200,000 credit card numbers with corresponding names and expiration dates.

The FTC has no direct authority to act as the Internet's security police, but it can take action in cases of false or deceptive trade practices. As in the earlier cases, Tower Record's privacy policy opened the door, with promises like, "We use state-of-the-art technology to safeguard your personal information," and "Your TowerRecords.com Account information is password-protected. You and only you have access to this information."

Testifying at a House subcommittee hearing on cyber security Wednesday, FTC commissioner Orson Swindle said the agency isn't just playing "gotcha" with vulnerable ecommerce companies. "Breaches can happen... even when a company has taken every reasonable precaution," Swindle testified. "When we find a failure to implement reasonable procedures, however, we act."

Related stories

Powergen vs whistle-blower case adjourned
No effect seen in US hack disclosure law
US hosting company reveals hacks, citing disclosure law
Guess leaks credit cards of the fashion-conscious
Bill Gates hacker escapes jail
Amazon division hacked, thousands of CCs exposed

Boost IT visibility and business value

More from The Register

next story
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Premier League wants to PURGE ALL FOOTIE GIFs from social media
Not paying Murdoch? You're gonna get a right LEGALLING - thanks to automated software
Online tat bazaar eBay coughs to YET ANOTHER outage
Web-based flea market struck dumb by size and scale of fail
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
XBOX One will learn to play media from USB and DLNA sources
Hang on? Aren't those file formats you hardly ever see outside torrents?
Class war! Wikipedia's workers revolt again
Bourgeois paper-shufflers have 'suspended democracy', sniff unpaid proles
'Aaaah FFS, 'amazeballs' has made it into the OXFORD DICTIONARY'
Plus: 'EE, how shocking, ANOTHER problem I face with your service'
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.