Back | eWEEK.com | Search
Geeks.com Settles FTC Charges
By: Roy Mark
2009-02-06
There are 0 user comments on this Network Security & Hardware story.
Receive eWeek news alerts on your mobile device.
Get the latest breaking news with mobile-formatted article links.
Click here to subscribe
E-mail
Print
PDF Version
Following a 2007 hack using Structured Query Language injection attacks that ultimately exposed the sensitive data of hundreds of customers, Geeks.com agrees with Federal Trade Commission that the online retailer of computer goods and other consumer electronics failed to provide reasonable security.
Geeks.com agreed Feb. 5 to settle with the Federal TradeCommission charges stemming from a 2007 data breach at the onlineretailer of computer goods and other consumer electronics.
During thebreach, hackers accessed the sensitive information of hundredsof customers.According to the FTC, Geeks.com routinely stored in unencrypted text onits corporate computer network customers' first and last name, address,e-mail address, telephone number andcredit card information. The FTC charged Geeks.com for failing toprovide reasonable security to protectsensitive customer data.
The settlement bars Geeks.com from making deceptive privacyand data security claims and requires Geeks.com to implement and maintain acomprehensive information-security program that includesadministrative, technical and physical safeguards. The settlement also requires an audit from aqualified, independent, third-party professional every other year for 10 years.
In addition, the settlement contains standard record keeping provisions toallow the FTC to monitor compliance.
The FTC claims Geeks.com did not adequately assess whether its Webapplication andnetwork were vulnerable to commonly known or reasonably foreseeableattacks, such as Structured Query Language injection attacks. TheFTC said Geeks.com did not implement simple, readily available defensesto these attacks.
While not adequately defending against SQL injection attacks,Geeks.com violated federal law by falsely stating it took reasonableand appropriate measures to protect personalinformation from unauthorized access.
During the time of the breach, Geeks.com's privacy policy stated, inpart, "We use secure technology, privacy protection controls andrestrictions on employee access in order to safeguard yourinformation."
Geeks.com did notbecome aware of the breach until December 2007 and notified customers Jan. 4, 2008.
"We take this breach of our data seriously, and we deeply regretthatthis incident has occurred. We immediately reported this crime to locallaw enforcement authorities, as well as the Secret Service and otherfederal authorities," Jerry L. Harken, chief of security forGeeks.com's parent company, Genica Corp., said in the Jan. 4 letter tocustomers. "We also reported the incident to Visa. We haveengaged an outside, nationally recognized security firm to determinehow this incident occurred and to confirm that information we obtain isprotected to the fullest extent reasonably possible."
© 2009 Ziff Davis Enterprise, Inc.
Mobilized by mDog.com
