Settles FTC Charges

Following a 2007 hack using Structured Query Language injection attacks that ultimately exposed the sensitive data of hundreds of customers, agrees with Federal Trade Commission that the online retailer of computer goods and other consumer electronics failed to provide reasonable security. agreed Feb. 5 to settle with the Federal Trade Commission charges stemming from a 2007 data breach at the online retailer of computer goods and other consumer electronics.

During the breach, hackers accessed the sensitive information of hundreds of customers. According to the FTC, routinely stored in unencrypted text on its corporate computer network customers' first and last name, address, e-mail address, telephone number and credit card information. The FTC charged for failing to provide reasonable security to protect sensitive customer data.

The settlement bars from making deceptive privacy and data security claims and requires to implement and maintain a comprehensive information-security program that includes administrative, technical and physical safeguards. The settlement also requires an audit from a qualified, independent, third-party professional every other year for 10 years.

In addition, the settlement contains standard record keeping provisions to allow the FTC to monitor compliance.

The FTC claims did not adequately assess whether its Web application and network were vulnerable to commonly known or reasonably foreseeable attacks, such as Structured Query Language injection attacks. The FTC said did not implement simple, readily available defenses to these attacks.

While not adequately defending against SQL injection attacks, violated federal law by falsely stating it took reasonable and appropriate measures to protect personal information from unauthorized access.

During the time of the breach,'s privacy policy stated, in part, "We use secure technology, privacy protection controls and restrictions on employee access in order to safeguard your information." did not become aware of the breach until December 2007 and notified customers Jan. 4, 2008.

"We take this breach of our data seriously, and we deeply regret that this incident has occurred. We immediately reported this crime to local law enforcement authorities, as well as the Secret Service and other federal authorities," Jerry L. Harken, chief of security for's parent company, Genica Corp., said in the Jan. 4 letter to customers. "We also reported the incident to Visa. We have engaged an outside, nationally recognized security firm to determine how this incident occurred and to confirm that information we obtain is protected to the fullest extent reasonably possible."