Feeds

Tower Records settles charges over hack attacks

Must improve security

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

Music retailer Tower Records on Wednesday settled charges with federal investigators arising from a security gaffe on the company's ecommerce site, which for a time made the buying habits of online customers accessible to outsiders.

The settlement requires Tower to establish and maintain a comprehensive information security program, which will be certified by an independent expert within six months, and bi-annually thereafter for 10 years. Additionally, the company agreed not to misrepresent the extent to which it protects customer information from unauthorized access. Each violation of the agreement could put the company on the hook for an $11,000 fine.

The case stemmed from an incident in late 2002, when a site redesign introduced a vulnerability into Tower's ecommerce store front that allowed Web users to peruse other customers' order histories by bringing up an order status page, and simply changing the order number in the URL. The gaffe exposed names, billing and shipping addresses, email addresses, phone numbers, and past Tower purchases.

In the eight days that the hole was open, personal information on over least 5,000 customers was accessed by unauthorized third-parties, "and at least two Internet chat rooms contained postings about the vulnerability as well as comments about some consumers' purchases," according to the original Federal Trade Commission complaint.

"In a fast moving world of electronic commerce, change is inevitable," Howard Beales, director of the FTC's Bureau of Consumer Protection, said in a statement. "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities."

In a statement, Tower Records emphasized that no credit card or social security numbers were exposed in the breach. "We take the privacy and security of personal information collected from our customers very seriously, and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," said Bill Baumann, chief information officer of Tower.

The case is the FTC's fourth enforcement action arising from corporate computer security or privacy slip-ups. In 2002, the commission won a consent decree against Eli Lilly for the inadvertent disclosure of the email addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. Last year the FTC reached a settlement with fashion-retailer Guess after a hacker reported an SQL injection vulnerability on Guess's website that could have exposed over 200,000 credit card numbers with corresponding names and expiration dates.

The FTC has no direct authority to act as the Internet's security police, but it can take action in cases of false or deceptive trade practices. As in the earlier cases, Tower Record's privacy policy opened the door, with promises like, "We use state-of-the-art technology to safeguard your personal information," and "Your TowerRecords.com Account information is password-protected. You and only you have access to this information."

Testifying at a House subcommittee hearing on cyber security Wednesday, FTC commissioner Orson Swindle said the agency isn't just playing "gotcha" with vulnerable ecommerce companies. "Breaches can happen... even when a company has taken every reasonable precaution," Swindle testified. "When we find a failure to implement reasonable procedures, however, we act."

Related stories

Powergen vs whistle-blower case adjourned
No effect seen in US hack disclosure law
US hosting company reveals hacks, citing disclosure law
Guess leaks credit cards of the fashion-conscious
Bill Gates hacker escapes jail
Amazon division hacked, thousands of CCs exposed

The smart choice: opportunity from uncertainty

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.