Feeds

Tower Records settles charges over hack attacks

Must improve security

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Music retailer Tower Records on Wednesday settled charges with federal investigators arising from a security gaffe on the company's ecommerce site, which for a time made the buying habits of online customers accessible to outsiders.

The settlement requires Tower to establish and maintain a comprehensive information security program, which will be certified by an independent expert within six months, and bi-annually thereafter for 10 years. Additionally, the company agreed not to misrepresent the extent to which it protects customer information from unauthorized access. Each violation of the agreement could put the company on the hook for an $11,000 fine.

The case stemmed from an incident in late 2002, when a site redesign introduced a vulnerability into Tower's ecommerce store front that allowed Web users to peruse other customers' order histories by bringing up an order status page, and simply changing the order number in the URL. The gaffe exposed names, billing and shipping addresses, email addresses, phone numbers, and past Tower purchases.

In the eight days that the hole was open, personal information on over least 5,000 customers was accessed by unauthorized third-parties, "and at least two Internet chat rooms contained postings about the vulnerability as well as comments about some consumers' purchases," according to the original Federal Trade Commission complaint.

"In a fast moving world of electronic commerce, change is inevitable," Howard Beales, director of the FTC's Bureau of Consumer Protection, said in a statement. "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities."

In a statement, Tower Records emphasized that no credit card or social security numbers were exposed in the breach. "We take the privacy and security of personal information collected from our customers very seriously, and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," said Bill Baumann, chief information officer of Tower.

The case is the FTC's fourth enforcement action arising from corporate computer security or privacy slip-ups. In 2002, the commission won a consent decree against Eli Lilly for the inadvertent disclosure of the email addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. Last year the FTC reached a settlement with fashion-retailer Guess after a hacker reported an SQL injection vulnerability on Guess's website that could have exposed over 200,000 credit card numbers with corresponding names and expiration dates.

The FTC has no direct authority to act as the Internet's security police, but it can take action in cases of false or deceptive trade practices. As in the earlier cases, Tower Record's privacy policy opened the door, with promises like, "We use state-of-the-art technology to safeguard your personal information," and "Your TowerRecords.com Account information is password-protected. You and only you have access to this information."

Testifying at a House subcommittee hearing on cyber security Wednesday, FTC commissioner Orson Swindle said the agency isn't just playing "gotcha" with vulnerable ecommerce companies. "Breaches can happen... even when a company has taken every reasonable precaution," Swindle testified. "When we find a failure to implement reasonable procedures, however, we act."

Related stories

Powergen vs whistle-blower case adjourned
No effect seen in US hack disclosure law
US hosting company reveals hacks, citing disclosure law
Guess leaks credit cards of the fashion-conscious
Bill Gates hacker escapes jail
Amazon division hacked, thousands of CCs exposed

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
DOUBLE BONK: Testy fanbois catch Apple Pay picking pockets
Users wail as tapcash transactions are duplicated
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.