[ISN] Petco settles charge it left customer data exposed
isn at c4i.org
Thu Nov 18 06:21:14 EST 2004
By Robert McMillan
IDG News Service
The U.S. Federal Trade Commission has reached a settlement with pet
food retailer Petco Animal Supplies of charges that the company's Web
site violated federal law by making deceptive security claims.
A security flaw in Petco's Web site left customers' credit card
numbers exposed to attackers. The FTC alleges that Petco did not take
reasonable measures to protect its Web site and made deceptive claims
in stating that customers' credit card numbers would be "shielded from
This flaw was exploited in a June 2003 attack on Petco.com in which a
visitor was able to read customer data stored in Petco's database.
According to Petco, the attack was perpetrated by an independent
security consultant named Jeremiah Jacks, who immediately informed
Petco of the vulnerability.
The vulnerability exposed only a limited amount of customer
information, a Petco spokesman said. "What he got was credit card
numbers, but there was no other customer information accompanying
those numbers," he said.
Under the terms of the settlement, announced Wednesday, Petco is
prohibited from misrepresenting the security of its Web site and must
establish a comprehensive security information program, which will be
subject to independent audits for the next 20 years, said Alain Sheer,
an attorney in the FTC's Division of Financial Practices.
Petco could be held in contempt of court if it violates the agreement,
It should help to deter other companies from ignoring and
misrepresenting security vulnerabilities on their Web sites, he added.
"Obviously there's some pretty bad publicity here," Sheer said. "We
think that should be a deterrent."
The FTC has reached similar settlements with Eli Lilly, Microsoft,
Guess and Tower Direct, Sheer said.
"Petco is committed to keeping all customer information obtained
through our Web site and stores private and secure," the Petco
More information about the ISN