Online Retailer Settles Charges That It Left Consumer Data Open To HackersOnline Retailer Settles Charges That It Left Consumer Data Open To Hackers

An online retailer has settled with the Federal Trade Commission on charges it didn't protect consumer information and that its security failures allowed hackers to steal credit card information.

An FTC complaint states that the company, "Life is good," claimed in its privacy policy that it was committed to protecting consumer information and stored the information in a secure file used to tailor communications with consumers. The FTC said that "Life is good" lacked "reasonable and appropriate security for the sensitive consumer information stored on its computer network."

The FTC said the company stored the information, including credit card security codes, indefinitely in plain readable text on its network and failed check its own Web site and network for vulnerability to well-known and reasonably foreseeable attacks, like SQL injection. The FTC said "Life is good" failed to use free or low-cost security to monitor and control network connections and prevent such attacks. Finally, the FTC claims that the company did not take reasonable measures to detect unauthorized access to the information.

"A hacker was able to use SQL injection attacks on Life is good's Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers," the FTC said in a statement announcing the settlement.

Under the terms of the settlement, Life is good will not make deceptive claims about its privacy and security policies and will create and maintain a comprehensive security program to protect consumer privacy. The security program also will include administrative, technical, and physical safeguards.

The company will dedicate one or more employees to coordinate information security, identify internal and external risks to consumer information, assess its security practices, and strengthen security as needed. The company also will choose and supervise service providers that handle its customer information. "Life is good" will use a third-party security auditor to assess its security biennially for the next 20 years and certify that the company meets or exceeds the terms of the FTC settlement. Finally, the company will retain records to allow the FTC to monitor compliance.

The FTC will allow 30 days of public comment on the order before voting on whether to make the settlement final.