Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Petco settles charge it left customer data exposed

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Petco settles charge it left customer data exposed
Date: Thu, 18 Nov 2004 05:21:14 -0600 (CST) 
http://www.nwfusion.com/news/2004/1117petcosettl.html

By Robert McMillan
IDG News Service
11/17/04

The U.S. Federal Trade Commission has reached a settlement with pet
food retailer Petco Animal Supplies of charges that the company's Web
site violated federal law by making deceptive security claims.

A security flaw in Petco's Web site left customers' credit card
numbers exposed to attackers. The FTC alleges that Petco did not take
reasonable measures to protect its Web site and made deceptive claims
in stating that customers' credit card numbers would be "shielded from
unauthorized access."

This flaw was exploited in a June 2003 attack on Petco.com in which a
visitor was able to read customer data stored in Petco's database.  
According to Petco, the attack was perpetrated by an independent
security consultant named Jeremiah Jacks, who immediately informed
Petco of the vulnerability.

The vulnerability exposed only a limited amount of customer
information, a Petco spokesman said. "What he got was credit card
numbers, but there was no other customer information accompanying
those numbers," he said.

Under the terms of the settlement, announced Wednesday, Petco is
prohibited from misrepresenting the security of its Web site and must
establish a comprehensive security information program, which will be
subject to independent audits for the next 20 years, said Alain Sheer,
an attorney in the FTC's Division of Financial Practices.

Petco could be held in contempt of court if it violates the agreement,
Sheer said.

It should help to deter other companies from ignoring and
misrepresenting security vulnerabilities on their Web sites, he added.  
"Obviously there's some pretty bad publicity here," Sheer said. "We
think that should be a deterrent."

The FTC has reached similar settlements with Eli Lilly, Microsoft,
Guess and Tower Direct, Sheer said.

"Petco is committed to keeping all customer information obtained
through our Web site and stores private and secure," the Petco
spokesman said.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Petco settles charge it left customer data exposed, InfoSec News <=
Previous by Date:  [ISN] Secunia Weekly Summary - Issue: 2004-47, InfoSec News
Next by Date:  [ISN] China boosting cyberwar ability, InfoSec News
Previous by Thread:  [ISN] Secunia Weekly Summary - Issue: 2004-47, InfoSec News
Next by Thread:  [ISN] China boosting cyberwar ability, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]