When Tower redesigned TowerRecords.com, it created a security hole that let hackers access the site’s order records and other personal information of its customers, the FTC says. Tower is the FTC’s fourth case involving breached online consumer data.
When Tower Direct LLC redesigned TowerRecords.com, it created a security hole that let hackers access the site’s order records and other personal information of its customers for about a week in the summer of 2002, the Federal Trade Commission says. Tower and the FTC have reached a consent agreement that bars the music and video retailer from misrepresenting its ability to protect consumer information and requires it to establish a certified security program. Tower Direct and its parent, MTS Inc., both signed the agreement.
In its fourth case involving hacked online consumer data, the FTC contends that the security hole resulting from the site redesign made it impossible for Tower to satisfy the privacy claims it makes on TowerRecords.com: "We use state-of-the-art technology to safeguard your personal information" and "Your TowerRecords.com account information is password-protected. You and only you have access to this information."
Ironically, the security flaw would have been "easy to prevent and fix, but Tower failed to implement appropriate checks and controls in the process of writing and revising its web applications," the FTC said in a statement. It added that Tower failed to adopt and implement policies and procedures to test the security of its web site or provide appropriate training and oversight to its employees. In addition to order information, the hackers were able to access such data as customer names, billing and shipping addresses, e-mail addresses, phone numbers and purchase histories.
Tower said the site invasion was an isolated incident that did not disclose any personal financial information such as credit card account numbers or Social Security numbers. "We take the privacy and security of personal information collected from our customers very seriously, and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," said Bill Baumann, CIO of Tower.
The agreement requires Tower to maintain a comprehensive information security program that an information security specialist will have to assess and certify within 180 days and then biannually for 10 years. The FTC will also require Tower to maintain certain documents related to its Internet operations and file compliance reports with the FTC.
The FTC did not levy any fines or other penalties against MTS or any of its subsidiaries. The consent agreement is subject to public comment through May 21, after which the FTC will decide whether to make the agreement a final order. Any violation of a final order can result in a civil penalty of up to $11,000. Further information about the public comment period is available at FTC.gov.