Following a 2007 hack using Structured Query Language injection attacks that ultimately exposed the sensitive data of hundreds of customers, Geeks.com agrees with Federal Trade Commission that the online retailer of computer goods and other consumer electronics failed to provide reasonable security.
Geeks.com agreed Feb. 5 to settle with the Federal Trade
Commission charges stemming from a 2007 data breach at the online
retailer of computer goods and other consumer electronics.
breach, hackers accessed the sensitive information of hundreds
According to the FTC, Geeks.com routinely stored in unencrypted text on
its corporate computer network customers' first and last name, address,
e-mail address, telephone number and
credit card information. The FTC charged Geeks.com for failing to
provide reasonable security to protect
sensitive customer data.
The settlement bars Geeks.com from making deceptive privacy
and data security claims and requires Geeks.com to implement and maintain a
comprehensive information-security program that includes
administrative, technical and physical safeguards. The settlement also requires an audit from a
qualified, independent, third-party professional every other year for 10 years.
In addition, the settlement contains standard record keeping provisions to
allow the FTC to monitor compliance.
The FTC claims Geeks.com did not adequately assess whether its Web
network were vulnerable to commonly known or reasonably foreseeable
attacks, such as Structured Query Language injection attacks. The
FTC said Geeks.com did not implement simple, readily available defenses
to these attacks.
While not adequately defending against SQL injection attacks,
Geeks.com violated federal law by falsely stating it took reasonable
and appropriate measures to protect personal
information from unauthorized access.
part, "We use secure technology, privacy protection controls and
restrictions on employee access in order to safeguard your
Geeks.com did not
become aware of the breach until December 2007 and notified customers Jan. 4, 2008.
"We take this breach of our data seriously, and we deeply regret
this incident has occurred. We immediately reported this crime to local
law enforcement authorities, as well as the Secret Service and other
federal authorities," Jerry L. Harken, chief of security for
Geeks.com's parent company, Genica Corp., said in the Jan. 4 letter to
customers. "We also reported the incident to Visa. We have
engaged an outside, nationally recognized security firm to determine
how this incident occurred and to confirm that information we obtain is
protected to the fullest extent reasonably possible."