An online seller of computer supplies and other consumer electronics has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data.
According to the FTC’s complaint, Compgeeks.com (Compgeeks), which operates the www.geeks.com Web site, and its parent company, Genica Corporation (Genica), collect sensitive information from consumers to obtain authorization for credit card purchases. The respondents require each consumer to provide his or her first and last name; address; e-mail address; telephone number; and credit card number, expiration date, and security code. In January 2008, media reports revealed a data breach at the company. It was later confirmed that hackers accessed the sensitive information of hundreds of consumers.
The complaint alleges that until at least December 2007, among other security failures, the respondents routinely stored this sensitive information in unencrypted text on their corporate computer network. The complaint also charges that the respondents did not adequately assess whether their Web application and network were vulnerable to commonly known or reasonably foreseeable attacks, such as Structured Query Language (SQL) injection attacks. The respondents also did not implement simple, readily available defenses to these attacks; defenses that were free or inexpensive. And – from January 2007 or earlier through June 2007 or later – hackers repeatedly exploited these vulnerabilities by using SQL injection attacks on the www.geeks.com Web site, the complaint alleges. The respondents did not become aware of the breach until December 2007.
Read more of FTC Press Release. Related documents.