Breach, Threat Management, Data Security, Vulnerability Management

Clothing retailer settles with FTC over credit card breach

The Federal Trade Commission has approved a final consent order that settles charges an online clothing retailer failed to properly secure its customers' personal information.

The agency, in a Friday announcement, said it voted unanimously to issue the final consent order.

This follows a January FTC settlement announcement in which Boston-based Life is Good -- best known for making T-shirts bearing optimistic slogans -- agreed to implement an information security program and be audited biennially for 20 years.

In 2006, hackers stole nearly 10,000 credit card numbers from the company's database, apparently through SQL injection attacks, a common way to penetrate websites.

The FTC said Life is Good took a number of information security missteps, including:
  • storing credit card data in clear, readable text,
  • failing to address website vulnerabilities and thus opening the site up to attacks, such as SQL injections,
  • and failing to detect unauthorized credit card data access.
The FTC said the merchant deceived customers by stating on its website that it valued and secured private data.

Under the agreement, similar to other arrangements the FTC has made with companies accused of lax information security practices, Life is Good said it will designate an employee to head up the IT security program, identify risks associated with security, design and deploy measures to mitigate risk, institute processes to select third-party service providers, and regularly evaluate its information security program.

Jim Laughlin, spokesman for Life is Good, told SCMagazineUS.com on Monday that the retailer took action within months of announcing the breach in the fall of 2006.

"We implemented a full suite of actions to make sure our website is secure so our customers could operate with complete trust,"  he said. "We've done a lot of investment on the IT front to ensure nothing like this happens again."

That included stopping the storage of credit card numbers, implementing a custom-coded back-end shopping cart, properly segmenting the database server from the web server, and ensuring no public IP addresses link to the database, he said.

In addition, the company now conducts quarterly network vulnerability scans and a yearly application security test, Laughlin said. And in November, it launched a new website built on Open Web Application Security Project (OWASP) standards.

"It was a critical moment for a young organization to address this fully and ensure we have everything secure," Laughlin said.

No incidents of fraud were reported as a result of the breach.

Life is Good, with about 250 employees, was founded in 1994.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.