The Federal Trade Commission's decision last week to force wholesale club BJ's to increase its security after a privacy breach may mark its increased interest in upgraded security for all who deal with personal identifiable information. This includes CardSystems, which revealed Friday that it had failed to secure the information of 40 million MasterCard, Visa and other credit card customers.
"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," Deborah Platt Majoras, chairman of the FTC, said in a statement. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."
The FTC decision
BJ's settled with the FTC on charges that its "failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law," said an FTC statement. According to the FTC, the information stolen from BJ's was used to make millions of dollars of fraudulent purchases.
The FTC alleged BJ's didn't provide "reasonable security" for its computer network. Specifically, the FTC said BJ's:
- Failed to encrypt consumer information when it was transmitted or stored on computers in its stores;
- Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
- Stored the information in files that could be accessed using commonly known default user IDs and passwords;
- Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
- Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.
Allegedly, the fraudulent purchases were made using counterfeit copies of credit and debit cards, causing banks to cancel and reissue thousands of credit and debit cards while consumers worried about identity theft. BJ's said the resulting lawsuits seek the return of millions of dollars in fraudulent purchases and operating expenses estimated at approximately $13 million.
The settlement will require BJ's to implement a comprehensive information security program that includes administrative, technical and physical safeguards, and obtain audits by an independent security firm every other year for 20 years.
The FTC says that comprehensive information security program will identify internal and external risks; require an employee be designated to coordinate and be accountable for the program; and design and implement reasonable safeguards to control risks identified through risk assessment and regular testing or monitoring.
"BJ's is just the latest in a string of FTC enforcement actions against companies that compromise the security of consumer information," said Mike Overly, a partner at law firm Foley & Lardner, specializing in cyberlaw. "The FTC has made clear in its public statements that these types of actions are now a priority and that it will not hesitate to prosecute companies that compromise security."
CardSystems in the hot seat
With regard to CardSystems Solutions Inc., Overly said the FTC could conduct its own investigation to determine whether statements made to consumers about privacy were false or misleading. "As in BJ's, this would turn on whether consumers were led to believe their data would be safe and, in fact, CardSystems failed to exercise due care commensurate with its statements to protect that data."
In what could be the largest data breach so far, the credit card processor said it had suffered a break-in that exposed the personal data of more than 40 million MasterCard, Visa, Discover and American Express credit card accounts. CardSystems discovered the breach back in May when investigating a number of fraudulent MasterCard transactions.
News of this breach comes less than two weeks before the new Payment Card Industry (PCI) Data Security Standards go into effect. PCI requires those who process payment cards to carry out a 12-step audit, which will be certified annually and checked every quarter.
The method the attackers used in the CardSystems hack was not disclosed. Netcraft reports the CardSystems Web site runs on Windows 2000 and Microsoft IIS Server 5.0.
"The FTC will be the least of CardSystems' worries," Overly said. "It may be subject to multiple consumer actions as well as actions by various state attorney generals."
Ben Wright, an independent attorney, noted that NY Attorney General Eliot Spitzer brought an action against Ziff Davis in 2002 for weak Web site security. Hackers had broken into its customer database, stolen credit card numbers and used some of the numbers to commit fraud. Spitzer forced the company to pay $125,000 fine.
Recent high-profile breaches include Bank of America, Citibank, Lexis-Nexis, ChoicePoint, among others. Guess Inc. and Eli Lilly both had to increase security because of FTC demands.