Geeks.com Operator Settles Data Breach Complaint
An online seller of computer supplies and consumer electronics has failed to adequately protect customer data and will have to submit to outside audits for 10 years in a settlement with the U.S. Federal Trade Commission.
Compgeeks.com, which also operates Geeks.com, and parent company Genica, had a data breach discovered in December 2007, affecting hundreds of customers. The Web sites collected customers' personal information including names, addresses and credit card numbers.
The companies routinely stored customers' sensitive personal information in unencrypted text on their corporate computer networks before December 2007, according to an FTC complaint. The companies did not "adequately assess" whether their Web applications and network were vulnerable to commonly known foreseeable attacks, including SQL injection attacks, the FTC said.
The companies did not implement "simple, readily available" and inexpensive defenses to thwart these attacks, the FTC said. From January until June 2007, hackers repeatedly exploited these vulnerabilities by using SQL injection attacks on Geeks.com, the FTC's complaint alleged.
A settlement with the FTC, announced Thursday, bars the companies from making deceptive privacy and data security claims and requires them to implement and maintain a comprehensive information-security program. The settlement also requires them to obtain, every other year for 10 years, an audit from a third-party professional to ensure that the security program meets the standards of the settlement.
Genica has worked closely with state and federal law enforcement officials and with computer forensics experts to find out who was responsible for the breach and to fix any security problems, said Peter Green, the company's marketing manager. "We have taken this breach very seriously," he added.