Friday, June 20, 2003

Guess and FTC Settlement

The SANS and Neohapsis Security Alert Consensus told me of the settlement between Guess and the FTC. From the article:

According to the FTC complaint, since at least October 2000, Guess' Web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks" and other web-based application attacks. Guess' online statements reassured consumers that their personal information would be secure and protected. The company's claims included "This site has security measures in place to protect the loss, misuse, and alteration of information under our control" and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times." In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess' security measures failed to protect against SQL and other commonly known attacks. In February 2002, a vistor to the Web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess' databases, according to the FTC.

No comments: