The US Federal Trade Commission (FTC) has settled a case in which the agency accused clothing and accessory supplier Guess of not taking appropriate measures to secure its web site.
The FTC accused Guess of leaving its website open to "commonly known" attacks, including the common SQL injection attack, since October 2000, although the company claimed to protect consumer data.
In February 2002 an SQL injection attack caused the release of an undisclosed number of credit card numbers stored in the Guess database, the FTC said.
Under the terms of the settlement the company is prohibited from misrepresenting the security of customers' personal information.
Guess must also maintain a comprehensive security programme at its web sites and submit an independent security auditor's report to the FTC every two years for the next 20 years.
This is the third such settlement the FTC has entered into in the past 18 months:
- In January 2002 it settled with Eli Lilly for its distribution of an e-mail showing in the "to" field the e-mail addresses of 669 users of the antidepressant drug Prozac.
- In August 2002 itsettled a dispute with Microsoft over the company's security claims for its Passport web password services.
The FTC is working to force companies to pay attention to web security, said Joel Winston, associate director for financial practices in the FTC's Bureau of Consumer Protection.
"We co-operated fully with the FTC's review," a Guess statement said. "No consumers were harmed in the single incident in which a hacker entered our site more than a year ago. Since that time, we have upgraded our site to best ensure the security of our consumers' personal information."
The FTC voted 5-0 to accept the settlement. The agreement will be subject to public comment for 30 days, after which the FTC will decide whether to make it final.
Grant Gross writes for IDG News Service