Guess Settles FTC Web-Security Case
Los Angeles–based Guess? Inc. has reached a settlement with the Federal Trade Commission regarding allegations that the clothing company did not provide proper security measures on its Web site, www.guess.com, to protect visitors from computer hackers.
The security breach exposed important information— such as names, addresses and creditcard numbers to hackers, the FTC said. According to the FTC complaint, Guess’ Web site did not store consumers’ personal information in an unreadable, encrypted format at all times and failed to protect against commonly known assaults, such as “Structured Query Language (SQL) injection attacks” and other Web-based application attacks, since October 2000. Guess’ online statements reassured consumers that their personal information would be secure and protected.
In February 2002, a visitor to the Web site, using an SQL injection attack, was able to read—in clear text—credit-card numbers stored in Guess’ databases, according to the FTC.
As part of the settlement, Guess will implement a comprehensive information-security program for all of its Web sites.
“Consumers have every right to expect that a business that says it’s keeping personal information secure is doing exactly that,” said Howard Beales, director of the FTC’s Bureau of Consumer Protection. “It’s not just good business— it’s the law.”
The Guess settlement prohibits the company from misrepresenting the extent to which it maintains and protects the security of personal information collected from or about consumers. It also requires that Guess establish and maintain a comprehensive information–security program. In addition, Guess must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within the year, and every other year thereafter.
Molly Morse, a spokesperson for Guess, said despite the FTC’s charges, none of its customers’ personal information was compromised by the alleged security breach.
“We cooperated fully with the FTC’s review,” she said. “No consumers were harmed in the single incident in which a hacker entered our site more than a year ago. Since that time, we have upgraded our site to best ensure the security of our consumers’ personal information. Going forward, we will continue to monitor and upgrade our site in order to safeguard the privacy of our consumers.” —Robert McAllister