Guess.com had promised to protect consumers` personal information, but it was in fact vulnerable to commonly known web site attacks, the FTC charges. Guess has agreed to rework its security.
Guess Inc., a retailer of fashion apparel and accessories, has reached a settlement with the Federal Trade Commission regarding the FTC`s charges that the retailer exposed its customers` credit card accounts and other personal information to commonly known attacks by hackers that accessed its Guess.com retail web site, even though Guess had published statements on the site that customer information was protected, the FTC said today. "Consumers have every right to expect that a business that says it`s keeping personal information secure is doing exactly that," said Howard Beales, director of the FTC`s Bureau of Consumer Protection. "It`s not just good business, it’s the law."
The FTC contends that, since at least October 2000, consumers` personal information on Guess.com has been vulnerable to commonly known attacks such as structured query language injection attacks and other web-based application attacks. At the same time, the FTC says, Guess posted statements on Guess.com that reassured consumers that their personal information was secure and protected from unauthorized access. Among Guess`s statements about security, two of them stated: "This site has security measures in place to protect the loss, misuse, and alteration of information under our control," and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times."
The FTC said that Guess in fact did not store customers` personal information in an encrypted, unreadable format at all times and that Guess`s security measures failed to protect against SQL and other commonly known attacks. In February 2002, the FTC said, a visitor to Guess.com used an SQL injection attack to read in clear text credit card numbers stored in Guess`s databases.
The settlement agreement prohibits Guess from misrepresenting the extent to which it maintains and protects the security of personal information collected from consumers or that it collects from other sources about consumers. The settlement also requires Guess to establish and maintain a comprehensive information security program, for Guess.com and other web sites it operates, certified as meeting or exceeding FTC standards by an independent security professional within a year.
In a prepared statement, Guess insisted that no consumers were harmed by the single incident in which a hacker accessed Guess.com. "We cooperated fully with the FTC`s review," Guess said. "No consumers were harmed in the single incident in which a hacker entered our site more than a year ago. Since that time, we have upgraded our site to best ensure the security of our consumers` personal information. Going forward, we will continue to monitor and upgrade our site in order to safeguard the privacy of our consumers."
The FTC notes that a consent agreement is for settlement purposes only and does not constitute an admission of a violation of a law.