Source:
Information WeekThe FTC said a company called "Life is good" lacked "reasonable and appropriate security for the sensitive consumer information stored on its computer network."
By K.C. Jones
InformationWeek
January 18, 2008 01:39 PM
An online retailer has settled with the Federal Trade Commission on charges it didn't protect consumer information and that its security failures allowed hackers to steal credit card information.
An FTC complaint states that the company, "Life is good," claimed in its privacy policy that it was committed to protecting consumer information and stored the information in a secure file used to tailor communications with consumers. The FTC said that "Life is good" lacked "reasonable and appropriate security for the sensitive consumer information stored on its computer network."
The FTC said the company stored the information, including credit card security codes, indefinitely in plain readable text on its network and failed check its own Web site and network for vulnerability to well-known and reasonably foreseeable attacks, like SQL injection. The FTC said "Life is good" failed to use free or low-cost security to monitor and control network connections and prevent such attacks. Finally, the FTC claims that the company did not take reasonable measures to detect unauthorized access to the information.
"A hacker was able to use SQL injection attacks on Life is good's Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers," the FTC said in a statement announcing the settlement.
Read more:
http://www.informationweek.com/news/showArticle.jhtml?articleID=205901219