August 8, 2003, 12:00 AM

FTC approves final consent decree in Guess? Inc. hacker case

The Federal Trade Commission has approved the issuance of a final consent decree in a case in which the FTC charged that Guess? misrepresented the security of consumers` personal information.

Kurt Peters

Executive Editor

The Federal Trade Commission has approved the issuance of a final consent decree in a case in which the FTC charged that Guess? Inc. and Guess.com Inc. misrepresented the security of consumers` personal information at Guess.com. The FTC charged that, contrary to the companies’ claims, they exposed consumers` personal information, including credit card numbers, to commonly known attacks by hackers by not using reasonable or appropriate measures to prevent consumer information from being accessed at Guess.com. The settlement will require that Guess implement a comprehensive information security program for Guess.com and its other web sites.

"Consumers have every right to expect that a business that says it`s keeping personal information secure is doing exactly that," said Howard Beales, director of the FTC`s Bureau of Consumer Protection. "It`s not just good business, it`s the law."

According to the FTC complaint, since at least October 2000, Guess` s web site has been vulnerable to widely known attacks such as "Structured Query Language injection attacks" and other web-based application attacks. The FTC said: “Guess` online statements reassured consumers that their personal information would be secure and protected. The company`s claims included ‘This site has security measures in place to protect the loss, misuse, and alteration of information under our control’ and ‘All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times.’ "

In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess`s security measures failed to protect against SQL and other commonly known attacks. In February 2002, a visitor to the web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess`s databases, according to the FTC.

The Guess settlement prohibits the company from misrepresenting the extent to which it maintains and protects the security of personal information collected from or about consumers and requires that Guess establish a comprehensive information security program. In addition, Guess must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within a year, and every other year thereafter.

When the settlement was announced a month ago, Guess issued a statement: “We cooperated fully with the FTC`s review. No consumers were harmed in the single incident in which a hacker entered our site more than a year ago. Since that time, we have upgraded our site to best ensure the security of our consumers` personal information. Going forward, we will continue to monitor and upgrade our site in order to safeguard the privacy of our consumers.”

The FTC notes that a consent agreement is for settlement purposes only and does not constitute an admission of a law violation.

 

Comments

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!

Advertisement

Advertisement

Advertisement

Relevant Commentary

FPO

Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...

FPO

Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...

Advertisement