Petco settles charge it left customer data exposed

The U.S. Federal Trade Commission (FTC) has reached a settlement with pet food retailer Petco Animal Supplies of charges that the company's Web site violated federal law by making deceptive security claims.

A security flaw in Petco's Web site left customers' credit card numbers exposed to attackers. The FTC alleges that Petco did not take reasonable measures to protect its Web site and made deceptive claims in stating that customers' credit card numbers would be "shielded from unauthorized access."

This flaw was exploited in a June 2003 attack on Petco.com in which a visitor was able to read customer data stored in Petco's database. According to Petco, the attack was perpetrated by an independent security consultant named Jeremiah Jacks, who immediately informed Petco of the vulnerability.

The vulnerability exposed only a limited amount of customer information, a Petco spokesman said. "What he got was credit card numbers, but there was no other customer information accompanying those numbers," he said.

Under the terms of the settlement, announced Wednesday, Petco is prohibited from misrepresenting the security of its Web site and must establish a comprehensive security information program, which will be subject to independent audits for the next 20 years, said Alain Sheer, an attorney in the FTC's Division of Financial Practices.

Petco could be held in contempt of court if it violates the agreement, Sheer said.

It should help to deter other companies from ignoring and misrepresenting security vulnerabilities on their Web sites, he added. "Obviously there's some pretty bad publicity here," Sheer said. "We think that should be a deterrent."

The FTC has reached similar settlements with Eli Lilly, Microsoft, Guess and Tower Direct, Sheer said.

"Petco is committed to keeping all customer information obtained through our Web site and stores private and secure," the Petco spokesman said.