BJ's settlement with FTC bodes ill for others

By Shawna McAlearney, News Editor 20 Jun 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The Federal Trade Commission's decision last week to force wholesale club BJ's to increase its security after a privacy breach may mark its increased interest in upgraded security for all who deal with personal identifiable information. This includes CardSystems, which revealed Friday that it had failed to secure the information of 40 million MasterCard, Visa and other credit card customers.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," Deborah Platt Majoras, chairman of the FTC, said in a statement. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."

The FTC decision
BJ's settled with the FTC on charges that its "failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law," said an FTC statement. According to the FTC, the information stolen from BJ's was used to make millions of dollars of fraudulent purchases.

The FTC alleged BJ's didn't provide "reasonable security" for its computer network. Specifically, the FTC said BJ's:

• Failed to encrypt consumer information when it was transmitted or stored on computers in its stores;



• Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;



• Stored the information in files that could be accessed using commonly known default user IDs and passwords;



• Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and



• Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

Allegedly, the fraudulent purchases were made using counterfeit copies of credit and debit cards, causing banks to cancel and reissue thousands of credit and debit cards while consumers worried about identity theft. BJ's said the resulting lawsuits seek the return of millions of dollars in fraudulent purchases and operating expenses estimated at approximately $13 million.

Related news on recent data security breaches Phishers exploit MasterCard breach Lawsuit could amplify data protection laws

The settlement will require BJ's to implement a comprehensive information security program that includes administrative, technical and physical safeguards, and obtain audits by an independent security firm every other year for 20 years.

The FTC says that comprehensive information security program will identify internal and external risks; require an employee be designated to coordinate and be accountable for the program; and design and implement reasonable safeguards to control risks identified through risk assessment and regular testing or monitoring.

"BJ's is just the latest in a string of FTC enforcement actions against companies that compromise the security of consumer information," said Mike Overly, a partner at law firm Foley & Lardner, specializing in cyberlaw. "The FTC has made clear in its public statements that these types of actions are now a priority and that it will not hesitate to prosecute companies that compromise security."

CardSystems in the hot seat
With regard to CardSystems Solutions Inc., Overly said the FTC could conduct its own investigation to determine whether statements made to consumers about privacy were false or misleading. "As in BJ's, this would turn on whether consumers were led to believe their data would be safe and, in fact, CardSystems failed to exercise due care commensurate with its statements to protect that data."

In what could be the largest data breach so far, the credit card processor said it had suffered a break-in that exposed the personal data of more than 40 million MasterCard, Visa, Discover and American Express credit card accounts. CardSystems discovered the breach back in May when investigating a number of fraudulent MasterCard transactions.

News of this breach comes less than two weeks before the new Payment Card Industry (PCI) Data Security Standards go into effect. PCI requires those who process payment cards to carry out a 12-step audit, which will be certified annually and checked every quarter.

The method the attackers used in the CardSystems hack was not disclosed. Netcraft reports the CardSystems Web site runs on Windows 2000 and Microsoft IIS Server 5.0.

"The FTC will be the least of CardSystems' worries," Overly said. "It may be subject to multiple consumer actions as well as actions by various state attorney generals."

Ben Wright, an independent attorney, noted that NY Attorney General Eliot Spitzer brought an action against Ziff Davis in 2002 for weak Web site security. Hackers had broken into its customer database, stolen credit card numbers and used some of the numbers to commit fraud. Spitzer forced the company to pay $125,000 fine.

Recent high-profile breaches include Bank of America, Citibank, Lexis-Nexis, ChoicePoint, among others. Guess Inc. and Eli Lilly both had to increase security because of FTC demands.

Tags: Database Security Management,  Information Security Laws, Investigations and Ethics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary