FTC settles with Guess on Web vulnerabilities

WASHINGTON - The U.S. Federal Trade Commission (FTC) has settled a case with clothing and accessory vendor Guess, in which the agency accused the company of not taking appropriate measures to secure its Guess.com Web site.

The agency accused Guess of leaving its Web site open to "commonly known" attacks, including the common SQL injection attack, since October 2000, although the company claimed to protect consumer data. In February 2002, a SQL injection attack caused the release of an undisclosed number of credit card numbers stored in the Guess database, the FTC said.

Under the settlement, announced Wednesday, the company is prohibited from misrepresenting the security of customers' personal information. Guess must also maintain a comprehensive security program at its Web sites and submit an independent security auditor's report to the FTC every two years during the entire 20-year length of the settlement.

This is the third such settlement the FTC has entered into in the last year and a half. In January 2002, the agency settled with Eli Lilly for its distribution of an e-mail showing in the "to" field the e-mail addresses of 669 users of the antidepressant drug Prozac. In August 2002, the FTC settled with Microsoft about the company's security claims of its Passport Web password services.

The FTC is using a variety of methods, including actions against companies and educational programs, to force companies to pay attention to Web security, said Joel Winston, associate director for financial practices in the FTC's Bureau of Consumer Protection.

Along with the Guess settlement, the agency on Wednesday announced the release of a fact sheet for business, "Security Check: Reducing Risks to your Computer Systems," which will be available at the www.ftc.gov Web site. In addition to the information it contains, the publication also points to other Web sites, including one identifying the 20 most critical Internet Security vulnerabilities, http://www.sans.org; and another identifying the 10 most critical Web application security vulnerabilities, http://www.owasp.org.

"We're trying to get out the message to consumers and businesses about the importance of security," Winston said. "In a sense, the message is a very basic and broad one: When you make claims to people about what your product does, it needs to do it."

Guess issued a statement regarding the settlement, but didn't immediately respond to further questions. "We cooperated fully with the FTC's review," the statement said. "No consumers were harmed in the single incident in which a hacker entered our site more than a year ago. Since that time, we have upgraded our site to best ensure the security of our consumers' personal information. Going forward, we will continue to monitor and make improvements to our site in order to safeguard the privacy of our consumers."

According to the FTC, Guess told customers their personal information would be protected. For example, it included in its Web site the statements: "This site has security measures in place to protect the loss, misuse, and alteration of information under our control" and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times."

Although the company had claimed to store customer data in an encrypted, unreadable format, the Febuary 2002 attack allowed the attacker to read credit card numbers in clear text, according to the FTC complaint against Guess. Winston wouldn't disclose how many credit card numbers were compromised in that SQL injection attack.

"It appears there are companies out there that are making these sorts of claims without a lot of thought," he said. "In this case, we felt that (attack) was a foreseeable risk. It was one that was fairly well investigated."

The FTC voted 5-0 to accept the settlement. The agreement will be subject to public comment for 30 days, until July 18, after which the FTC will decide whether to make it final.

Copyright © 2003 IDG Communications, Inc.