[ISN] Petco settles charge it left customer data exposed

From: InfoSec News (isn@private)
Date: Thu Nov 18 2004 - 03:21:14 PST


http://www.nwfusion.com/news/2004/1117petcosettl.html

By Robert McMillan
IDG News Service
11/17/04

The U.S. Federal Trade Commission has reached a settlement with pet
food retailer Petco Animal Supplies of charges that the company's Web
site violated federal law by making deceptive security claims.

A security flaw in Petco's Web site left customers' credit card
numbers exposed to attackers. The FTC alleges that Petco did not take
reasonable measures to protect its Web site and made deceptive claims
in stating that customers' credit card numbers would be "shielded from
unauthorized access."

This flaw was exploited in a June 2003 attack on Petco.com in which a
visitor was able to read customer data stored in Petco's database.  
According to Petco, the attack was perpetrated by an independent
security consultant named Jeremiah Jacks, who immediately informed
Petco of the vulnerability.

The vulnerability exposed only a limited amount of customer
information, a Petco spokesman said. "What he got was credit card
numbers, but there was no other customer information accompanying
those numbers," he said.

Under the terms of the settlement, announced Wednesday, Petco is
prohibited from misrepresenting the security of its Web site and must
establish a comprehensive security information program, which will be
subject to independent audits for the next 20 years, said Alain Sheer,
an attorney in the FTC's Division of Financial Practices.

Petco could be held in contempt of court if it violates the agreement,
Sheer said.

It should help to deter other companies from ignoring and
misrepresenting security vulnerabilities on their Web sites, he added.  
"Obviously there's some pretty bad publicity here," Sheer said. "We
think that should be a deterrent."

The FTC has reached similar settlements with Eli Lilly, Microsoft,
Guess and Tower Direct, Sheer said.

"Petco is committed to keeping all customer information obtained
through our Web site and stores private and secure," the Petco
spokesman said.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Thu Nov 18 2004 - 05:44:26 PST