[ISN] Tower Records settles government charges over hacker attacks
InfoSec News
isn at c4i.org
Thu Apr 22 03:10:50 EDT 2004
http://www.detnews.com/2004/technology/0404/22/technology-129882.htm
By Ted Bridis
AP Technology Writer
April 22, 2004
WASHINGTON -- The company that operates the Web site for music
retailer Tower Records has settled complaints by U.S. regulators that
it allowed hackers in 2002 to steal personal information about
thousands of its online customers.
Under the agreement announced Wednesday, MTS Inc. of West Sacramento,
Calif., must maintain a "reasonably designed" program to assure the
security of customers to the Web site and hire outside consultants
every two years during the next decade to test its security.
The Federal Trade Commission said failure to abide by those terms
could result in fines up to $11,000.
The FTC said Tower Records, which emerged from bankruptcy last month,
redesigned part of its Web site in November and December 2002 but
failed to update one feature that customers used to check the status
of their online purchase.
Over eight days, hackers exploited the problem to view the names,
addresses and purchase details for about 5,225 customers and sometimes
wrote demeaning comments in Internet chat rooms about people's choices
in music, the FTC said.
Tower said in a statement that hackers did not steal any of its
customers' credit card or Social Security numbers, that it corrected
the problem and that it has not detected any subsequent break-ins.
"We take the privacy and security of personal information collected
from our customers very seriously," said Bill Baumann, Tower's chief
information officer.
The FTC, which traditionally prosecutes businesses for fraudulent and
deceptive trade practices, sued Tower Records over its written
assurances to customers that it protected their personal information
using "state-of-the-art technology." Regulators said the vulnerability
in the company's Web site was "commonly known and reasonably
foreseeable."
The case against Tower Records was the fourth of its kind by the FTC.
"Companies must have reasonable procedures in place to make sure that
changes do not create new vulnerabilities," said Howard Beales,
director of the FTCs Bureau of Consumer Protection. "Just as consumers
remodeling their homes would make sure that the doors still have
locks, companies should make sure that sensitive data is still
protected."
More information about the ISN
mailing list