Geeks.com settles charges claiming its security was crap
A decade in the stockade
Geeks.com, a large online seller of computer hardware and software, has agreed to allow federal regulators to monitor its website security for 10 years to settle charges it violated federal laws requiring it to adequately safeguard sensitive customer data.
The agreement, which also applies to sister site computergeeks.com, settles a complaint filed by the Federal Trade Commission that accused the online retailers of misleading its customers about the safety of their personal information. Names, addresses, credit card numbers, and other data were routinely sent unencrypted to authorization services, making them ripe for identity thieves, the complaint alleged.
What's more, the sites carried privacy policies that claimed the company employed "secure technology, privacy protection controls and restrictions on employee access in order to safeguard your personal information."
During a six-month period starting in January of 2007, the sites were breached repeatedly by hackers who used simple SQL injections to siphon credit card numbers, expiration dates, and other sensitive details on hundreds of customers. Website operators didn't learn of the attacks until the following December. During the time of the breach, Geeks.com proudly displayed a banner provided by security provider McAfee claiming the site was "Hacker Safe".
The sites have since closed the security holes and notified law enforcement authorities.
Genica Corp., the websites' parent company, has agreed to submit its website security to outside auditing by qualified security professionals every other year and to make the results available to FTC officials. The agreement will remain in place for the next decade. The company also agreed not to make misleading claims about its website security.
Even with federal charges settled, Genica is likely to have some explaining to do with the credit card industry. Payment card industry regulations require merchants to follow a maze of procedures designed to protect card data as it's stored on servers and zapped to authorization services. Penalties for violations can be steep.
That's a pretty vague way of describing what is happening, there needs to be more detail. Are the details unencrypted and being sent over a VPN (In which case the security of the VPN, within certain limits, would be suitable for PCI regulations.) or is the data sent across a point to point dedicated leased line, in which case encryption would be good practice, but not 100% required. Or plain text across the internet?
Also, still no clarification if an authorization service is an online 3rd party service, a bank or (highly unlikely) they are going directly to the PCI, beit AmEx, Visa, etc.
Hacker Safe - Tested Daily
I always had a feeling those banners were only for show. They only seemed to appear on websites that seemed a bit sub-par.
And another thing...
...geeks.com has to answer to the credit card industry? Well, perhaps they will; but only if the credit card industry puts its own house in order first.
The blind leading the blind.