Petco Settles FTC Security Charges

[Anonymous]

I usually drop these little nuggets in the Sump, but this seems a more fitting place.. (For the most part, I think this place aught to exist WITHIN the Sump, but thats a matter of opinion I guess...)

http://www.informationweek.com/story/sh ... D=53700517

Petco Settles FTC Security Charges
Nov. 18, 2004

Pet-products retailer agrees to settle charges that flaws in its Web site violated security and privacy promises made to customers.
By George V. Hulme

Petco Animal Supplies Inc. will spend the next 20 years making sure it doesn't once again end up in the doghouse over cybersecurity woes with the Federal Trade Commission.

Petco has agreed to settle FTC charges that flaws in its Web site violated security and privacy promises it made to customers within statements on its site. The FTC also accused Petco of not taking reasonable or appropriate steps to prevent cyberattacks.

While the settlement doesn't constitute an admission of guilt for a violation of law, it will require Petco to bolster its security and to submit to independent security inspections for the next 20 years.

The flaws in question, which allow for a common type of intrusion known as a SQL injection attack, could permit hackers to access customer records, including credit-card numbers, the FTC said. The FTC also alleged that Petco didn't protect sensitive customer information it stored with adequate encryption. "As a result, a hacker was able to penetrate the Petco Web site and access credit-card numbers stored in unencrypted clear text," the FTC said in a statement.

In a prepared statement, Petco said it's "committed to keeping all customer information obtained through our Web site and stores private and secure, and we have taken--and will continue to take--necessary measures to achieve that goal. ... We support the FTC's efforts to advocate and enforce enhanced online security measures for U.S. consumers and look forward to working with their staff to ensure that Petco continues meeting our commitment to keeping our customers' personal information secure."

This is the fifth time the FTC has successfully challenged deceptive claims made by businesses regarding their efforts to protect customer information. The previous cases included Eli Lilly, Guess, Microsoft, and Tower Records. Each case centered on promises the companies made in their privacy policies.

Moral of the story, if you're gonna etail, make sure your sh.t's secure if you're gonna advertise that it is.

 

[dizzy]

Norm,
I think the moral of the story is buyer beware. If a huge corporation like Petco is doing such a poor job of protecting consumer information, I doubt you can expect much better from the fly by night etailers.
Mitch

 

[naesco]

Norm,
I think the moral of the story is buyer beware. If a huge corporation like Petco is doing such a poor job of protecting consumer information, I doubt you can expect much better from the fly by night etailers.
Mitch

Your correct dizzy it is a major risk to provide your banking information or any personal information online.
The Petco story and many others prove this.

 

[JeremyR]

It's a risk to use your credit card at the grocery store. It's a risk to walk across the street. We could always go back to the stone age, barter with clam shells, and get eaten by large mammals with big teeth...

The sky is falling.

 

[Anonymous]

They had better be aquacultured clam shells.

 

[Anonymous]

You should feed your clam shells a better food...

Peace,

Chip

 

[JennM]

It's a risk to use your credit card at the grocery store. It's a risk to walk across the street. We could always go back to the stone age, barter with clam shells, and get eaten by large mammals with big teeth...

The sky is falling.

Clearly you've never been the victim of identity theft.

Yeah it's a risk, but if people are told that their information is secure, there is a reasonable expectation there.

I used my credit card to pay for a shipment at an airline cargo office once, and suddenly my card began "paying" for purchases in the city that airline is based in, in a state I've never been to. It was a major PITA to get things fixed.

My FIL had his debit card number stolen and his bank account cleaned out. Had my SIL not found out about it (she is a banker), he would have lost all his savings because he had no idea how it happened, or that he had any recourse.

You might not be so cavalier about it if it happened to you, it can screw with your life - your credit record, your day-to-day finances... everything.

It does give one pause for thought -- if Petco was lax, with all their resources, just makes one wonder about other etail establishments...

Jenn

 

[JeremyR]

My point is, in the grand scheme of things.. you are just as likely to get ripped off by using your credit card at any merchant you are present at, as your airline cargo office showed. You don't have to be a hacker to steal someones card info there. My post was in reference to mitch & naesco's generalization of the risk of purchasing online.. you have that risk anywhere, all you did was make my point for me. A person can be careful, but that sleeze at the airport making an old style transaction carbon imprint of your card info is probably a larger risk than most online vendors.

 

[dizzy]

Jeremy.
I disagree. While there is definitely some risk of having your identity stolen at the local shopping level, it would likely be some petty thief commiting the crime. This is much easier to catch and prosecute than an international crime ring working out of Russia, Bali or Canada. Internet crime is in its infancy. Look for international criminals to get much better at it in the future. America has a huge target on its back. I also believe the fly by night etailers are much more likely to store your credit card information on non-secure computers. Are you suggesting that you have a more secure system in place for your etail operation than Petco does? How often do you update your encrypting techniques? The risks are real and likely to get worse instead of better. Even if the company you are ordering from is secure, the security lapse could come from your own computer. I have heard cookies can be put on your home computer that can read every keystroke you make and get your credit card information that way. You sound like a Merck representative assuring everyone that Vioxx is safe. :wink: All I said was buyer beware. If your going to order online it might be a good idea to have a dedicated credit card that is only used for that purpose so you can watch it more easily. I have seen several specials that show how difficult it can be to get your credit straightened out if you are a victim of such crimes.
Mitch

 

[JeremyR]

Those damn canadians, I knew we couldn't trust them.

 

[Chucky]

Excuse me, Jeremy R.? Shall we get into some PMs here?

 

[DBM]

Those damn canadians, I knew we couldn't trust them.

[/quote]
:lol: